The board wants security 'metrics.' Which is most meaningful to report?
Short answer
Board-level metrics should connect to risk and outcomes: detection and response times (MTTD/MTTR), patching-SLA adherence on critical systems, control coverage, and how residual risk trends against appetite. The number of attacks blocked by the firewall, antivirus signature counts, and total emails received are vanity numbers — they sound impressive but tell leadership nothing about whether risk is going down. The board governs risk, so metrics must let them see the trend and decide.
Boards don't want to admire activity; they want to know whether cyber risk is under control and trending the right way. The scenario tests whether a CISO can distinguish outcome metrics that inform governance from vanity metrics that merely look busy.
Why risk-oriented measures are correct
Good board metrics answer "are we getting better at managing risk?" That means mean time to detect (MTTD) and mean time to respond (MTTR) — how fast you find and contain incidents; patch-SLA compliance on critical assets — whether your most important systems are remediated within agreed windows; control coverage — what fraction of your estate is actually protected by key controls; and the trend of residual risk versus the board's risk appetite. Each is a number leadership can act on: fund, accept, or push. They show direction over time, not a snapshot of effort.
Why the distractors fail
- Attacks blocked by the firewall. A huge number that means almost nothing — the internet is noisy, and "blocked" attacks are mostly automated background scanning. It doesn't tell the board whether real risk is down.
- Antivirus signatures updated. This measures a vendor's release cadence, not your security posture. It's pure activity, not outcome.
- Total emails received. Completely disconnected from risk. It's a volume statistic with no decision attached.
What the interviewer is probing
They want you to grasp that a metric is only useful if the board can make a decision from it. MTTD/MTTR, patch SLAs, and control coverage tie directly to risk and let leadership govern; "attacks blocked" and signature counts are theater that inflate confidence without informing it. The weak candidate reaches for the big, impressive-sounding number — which is exactly the trap: it looks like reporting but communicates no risk and no trend the board can steer by.
Likely follow-ups
- Why is MTTD/MTTR more board-relevant than a count of blocked attacks?
- How would you show a metric trending against risk appetite on a single slide?
- What's the danger of reporting vanity metrics to a board over time?