IT Security Blog | Rivial Security

Executives Don't Care About Vanity Metrics

Written by Randy Lindberg | 22 Feb 2023

What is the best way to improve your relationship with executives and the Board?

The quickest and easiest way to improve your relationship with executives is to stop reporting vanity metrics!

A great example of a vanity metric is something like number of spam emails blocked by some device or cloud solution. Admittedly, back in the mid to late 2000s, I too reported this metric. I did it because my predecessor had done it. 

As the cybersecurity manager, I looked at the number of blocked spam emails regularly because it was potentially an indicator of a) the solution was still working as planned, or b) the number increased dramatically, and the organization was being targeted. 

But the spam messages metric is not helpful to executives because the metric has no bearing on any decisions they have to make. No usefulness. The metric only takes up space in their mind, which is already full of massive amounts of information. 



What, then, should be reported?

Metrics and measures that provide context for decision making. 

For example, if the latest update to the risk assessment — because you’re hopefully doing real-time risk updates — shows a system move outside of the organizations risk tolerance, a decision needs to be made regarding how to deal with the risk.

So the report would include the risk rating, the reason for the rating change, and a recommendation on managing the risk.

Providing the right information to facilitate an executive decision will show you understand the Board’s needs and respect their business-oriented perspective. They will appreciate you making their job easier.

You will be more respected as a partner to the business and, consequently, get more of the budget you need to successfully operate a solid cybersecurity program.

Rethink your cybersecurity report by putting yourself in a business person’s shoes. Perhaps I have a slight advantage over some CISOs because I happen to own a business and have to balance both hats (cybersecurity and business) on my head most days. But several years ago, I was tired of the reports we as an industry typically generated. I threw out our existing “Board Report” we delivered clients, and started from scratch with the business owners in mind.

The results have been incredible. Clients love the information in the report. Boards love the business-friendly format. Auditors love the breadth and impact of items covered. 

Get your free template here and good luck!