Why traditional metrics are giving CISOs a false sense of security

Date:
Fri, 03 Apr 2026 14:19:42 +0000

Description:
Counting scans and alerts isnt security progressit's masking unresolved vulnerabilities and rising cyber risk.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Become a Member in Seconds Unlock instant access to exclusive member features. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
now subscribed Your newsletter sign-up was successful Join the club Get full access to premium articles, exclusive features and a growing list of member rewards. Explore An account already exists for this email address, please log in. Subscribe to our newsletter The rising threat of cyberattacks has cranked up the pressure for CISOs right at the heart of business resilience. But
their job has become all the more difficult.

Our research found that 50% of organizations now carry critical security
debt, meaning they have software vulnerabilities that have been left unresolved for longer than a year. Thats an open invitation for cyber criminals and requires a comprehensive, long-term application risk management strategy to fix it. Yet most organizations still equate more scans with
better security. Article continues below You may like Why CTEM is the answer to boardroom pressure and security fatigue Why CISOs must link cyber to an organization's profit and loss Proof over promises: a new doctrine for cybersecurity Sohail Iqbal Social Links Navigation

CISO at Veracode. Thisassumption is creating serious security gaps,
especially across software supply chains and CI/CD pipelines.

The fact is, not only do traditional security KPIs notmeasure real security efficacythey also create a false sense of progress.Recent pipeline and dependency compromises, like the Shai-Hulud supply chain wormware campaign, are a good example of why high scan volume alone does little to prevent breaches.

CISOs need to refocus. The most important metrics measure vulnerability backlogs, undetected attacker dwell time, and existing security controls with proven ability to mitigate real-world threat, not just theoretical risk.Ultimately, depth and validation matter far more than breadth. Why volume-based security KPIsfail CISOs and boards alike Measuring against volume-based KPIs, like the number of scans run, vulnerabilities found and alerts generated, only tracks the effort taken to increase securitynot the actual outcome. These traditional KPIs tell you how needed security measures are, but not whether they are stopping anything meaningful. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get
all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

For example, a scan finding 10,000 low impact issues might look productive on a dashboard, but at the same time a single exploitable dependency might have been untouched for months, presenting a critical, unresolved security risk.

Board members and the C-suite see rising KPI numbers and automatically assume strengthened protection when, in fact, it could be quite the opposite. This blurred measurement line skews the reality of how security teams are tackling security risk.

These industry wide tropes are inadvertently rewarding security teams for generating noise but not reducing actual risk. And with the average fix time for security flaws rising from 171 days to 252 days over the past five years, the delay to remediation quietly backlogs security risks. What to read next The open source blind spot in our supply chains When confidence becomes a risk: The gap between cyber resilience readiness and reality Regulatory whiplash: Why cyber resilience is now a governance imperative

Those vulnerabilities hidden in the depths of the supply chain and pipeline are a ticking time bomb.

With security teams already stretched and struggling to find the capacity for finding and fixing vulnerabilities, these outdated metrics encourage a
culture where security teams and CISOs look on top of it, right up until an old, known flaw gets exploited at which point, it could be too late.
Pipeline compromise and dependency risk have made point-in-time scanning obsolete With the rapid pace of technological advancement and the apparent rise in successful cyberattacks, point-in-time scanning is now inadequate. It overlooks critical time factorssuch as the mean time to remediate or the duration an attacker can operate undetectedwhich are precisely what attackers exploit.

Modern attacks happen in the gap between scans, with security snapshots
unable to catch moving targets. For CI/CD pipelines, they are obsolete. Code changes multiple times a day and dependencies update automatically.

And nowadays, an attacker doesnt even need to evade a scan. They just wait
for the next build, commit, or dependency pull and, by the time the scan report is read, the environment it assessed no longer exists.

Scanners traditionally inspect source or binaries, but not the inner workings of the build process, meaning a malicious build step can inject code after a scan has passed.

This happened with the infamous SolarWinds Orion attack, which compromised thousands of organizations (including US government agencies) back in 2020, injecting malicious code into software updates that were then distributed to the unsuspecting customers .

If the build is already poisoned, then the scan is irrelevant. What CISOs
need to prioritize this year As cyber risk increases and hackers become more sophisticated, balancing the challenges associated with assessing risk and proving the value of application security is becoming more of a minefield for CISOs. They need metrics and that security teams can prioritize to better reflect real application and supply-chain security risk.

These include the backlog reduction of exploitable flaws, the time it takes
to fix critical issues in production, and evidence that the fixes actually work, rather than just a scan. The shift isnt from less measurement to more measurement. Its from counting security activity to measuring true exposure and business resilience.

Ultimately, security metrics should tell leadership how much risk has been removed and how quickly systems are back to normalnot how hard the security team worked to find it. This change in positioning will help us all become better equipped to properly defend against risk. We've featured the best online cybersecurity course. This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and
brightest minds in the technology industry today. The views expressed here
are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro



======================================================================
Link to news story: https://www.techradar.com/pro/why-traditional-metrics-are-giving-cisos-a-false -sense-of-security


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)