For three years, I reported a metric I was proud of.

Mean time to detect: under four hours. Trending down every quarter. Better than industry average.

Then a board member asked a question I wasn't ready for.

"What does that mean for the business?"

I gave him the context. The benchmarks. The trend line. He nodded and moved on.

After the meeting, a peer told me what he'd said on the way out.

"I still don't know if we're safe."

I had answered a different question than the one he was asking. He wasn't asking about detection speed. He was asking about exposure — what it costs if something goes wrong.

Mean time to detect is not a board metric.

It measures how quickly we find a problem. The board needs to know what happens to the business if we find it four hours in versus four minutes in. That is a different number.

I rebuilt the entire reporting framework after that conversation. Not because the metrics were wrong. Because they were answering a question nobody in that room was actually asking.

The three metrics a board actually cares about: risk as financial exposure, not percentage improvement. Recovery capacity, not recovery time. Program resilience, not program activity.

Tomorrow: the specific metrics that translate — and the ones that don't, with a before/after translation table.

📄 The Board Doesn't Care About Your Metrics: https://lnkd.in/gFphR8tz

📧 Thursday 5:30 PM CST (Central Standard Time): The Fast CISO (Chief Information Security Officer) Issue #21 — Security Metrics Translation Framework, including a complete board-ready metrics mapping worksheet. Subscribe: https://lnkd.in/gKv_jyAy

When you present security metrics to your board, what's the most common reaction?

A) They engage and ask follow-up questions
B) They nod and move on — I'm not sure they understood
C) They ask me to simplify — "what does this actually mean?"
D) They've stopped asking about metrics and started asking about outcomes

#CISO #SecurityLeadership #CyberSecurity #BoardCommunication