Organisations worldwide are failing to provide cybersecurity metrics that effectively serve their boards, executives and operational teams, with the rapid emergence of AI significantly widening this reporting gap.
According to technology intelligence firm IDC, cyber risk has evolved from a purely operational concern into an existential business risk that can shut down entire companies.
While regulatory frameworks such as DORA, NIS2 and SEC disclosure rules now hold boards directly accountable for risk and compliance, the tools used to communicate cybersecurity health remain fundamentally misaligned with the audiences that need to act on them.
In a recently-published report, the company stated that cybersecurity as a discipline matured in reverse, with tactics built first and strategy often ignored, leading to a persistent mismatch between what security teams produce and what governance leaders actually require.
“The data-driven cybersecurity metrics framework was written specifically to deal with that problem in a way that lets the CISO, executives and board members communicate in a language both understand,” the report expalined.
When metrics are misaligned, board meetings often devolve into technical data dumps, forcing executives to decode minutiae rather than engaging in meaningful risk dialogue.
The rise of AI has added two urgent dimensions to this unsolved problem, including the use of AI as an adversarial weapon for phishing and deepfakes, and the risks associated with ungoverned internal AI deployments.
Data-driven metrics must serve specific audiences by telling a coherent story calibrated to each stakeholder’s role, accountability and risk exposure.
IDC recommends a three-tier structure consisting of governance metrics for the board, managerial metrics for business leaders and operational metrics for functional security teams.
Effective metrics must be outcome-driven rather than focused on activity volume, framed in financial or operational terms, and must now incorporate AI-specific risk intelligence alongside traditional data.
Building these metrics requires a structured process that begins with understanding business risks and involves cross-functional engagement from legal, audit, compliance and AI governance officers.
Cybersecurity leaders must own the recommendation, but the ultimate risk decision belongs to the business owner, meaning the role of the security team is to build a narrative that enables confident decision-making.
As AI deployments grow, organisations must continuously monitor for model drift and explicitly embed governance, including mandatory preproduction risk assessments and human review standards for high-risk decisions.
Click here to change your cookie preferences