The Board Is Asking The Wrong Security Question
Cyber Defense Magazine, Wednesday, May 13th, 2026
Boards should focus on exploitability and business risk rather than vulnerability volume metrics.
The article argues that boards are receiving the wrong cybersecurity metrics, focusing on volume-based indicators like blocked pings rather than actual business exposure and risk. Author Dharmesh Acharya contends that only 8% of directors view security as strategic despite $10.5 trillion in cybercrime costs, and that the disconnect stems from technical jargon rather than business-aligned reporting.
He advocates shifting from measuring vulnerability counts to measuring exploitability which vulnerabilities can actually be attacked and modernizing security discussions to match the speed of development cycles. The piece emphasizes that boards should ask about real attack paths, threat detection speed, and actual risk reduction rather than security activity levels.