The Wake-Up Call
It started with a blinking light.
On a quiet Friday afternoon, just after 4 p.m., the network team at a mid-sized U.S. manufacturer noticed something odd—one of their production systems had dropped offline. Within the hour, more anomalies cropped up: files inaccessible, unexpected reboots, a surge in outbound traffic. By 6 p.m., ransomware had silently propagated across the company’s network, encrypting ERP systems and halting three of five plants. But nobody knew the full scale—yet.
Monday morning, the CEO called an emergency board meeting. The news was grim: all production was offline, customer orders were delayed, and the IT team was scrambling through outdated backups and old incident response playbooks. Within days, the company faced multimillion-dollar losses, reputation damage, and a hostile press cycle. The root cause? A single unpatched system and an MFA policy that applied “only to sensitive users.”
Sound extreme? It’s not. It’s a composite story, built from real breach cases. And if it feels familiar, it’s because it’s happening more often than you think.
“Good Enough” Isn’t Good Enough Anymore
There’s a quiet, well-meaning assumption in many boardrooms: that basic cyber hygiene is enough. Patching quarterly. MFA for the finance team and IT admins. Maybe a penetration test every couple of years. It’s the “good-enough” model—spend just enough to tick the boxes, avoid headlines, and focus on growth.
You might even hear arguments like:
“Perfect security is impossible, and trying to get there just slows the business down.”
There’s truth to that sentiment. You can’t eliminate all risk. But here’s the math that stops that argument cold:
According to IBM’s 2024 Cost of a Data Breach report, the average breach now costs just under $5 million (USD 4.88 M, to be exact). That includes downtime, remediation, regulatory fines, and long-term reputational impact.
Now stack that against what the average mid-market company actually spends on security annually: about $1.8 million.
Let’s pause and absorb that. If your cyber budget is less than 40% of a single breach, you’re not hedging risk—you’re gambling the company.
It’s Not a Tax. It’s Insurance for Productivity.
Here’s the reframing we need to start bringing into the boardroom: security is not just an overhead—it’s insurance for uptime.
That $1.8 million security budget? It doesn’t just protect data—it preserves your ability to ship product, make payroll, and serve customers. A breach, on the other hand, doesn’t just create IT chaos. It halts operations. It turns your supply chain into a liability. It turns your customers into skeptics.
You wouldn’t skip fire insurance on your warehouse. So why run your digital business without coverage that actually protects your operational backbone?
Sanity Check
If your cyber budget is less than 40% of one breach, you’re not managing risk—you’re gambling the company. Take 15 minutes this week to compare your annual security spend with IBM’s breach average. If you’re below the threshold, it’s time for a serious conversation.
Three Myths That Keep Boards Up at Night
Think back. When was the last time you personally asked: “Have we tested our backups lately?”
If you can’t remember—or if the answer involves an awkward silence—you’re not alone. I’ve been in dozens of boardrooms where cyber risk felt like someone else’s problem. Until it wasn’t.
In many cases, it’s not lack of care. It’s misplaced confidence—built on myths that feel comforting, until reality intervenes.
Let’s unpack the three most dangerous ones.
Myth #1: “We’re too small to be a target.”
You hear this one a lot in mid-market and regional firms. The logic goes: attackers want big fish—global banks, defense contractors, household-name retailers. We’re under the radar.
Unfortunately, the data disagrees.
Verizon’s 2024 Data Breach Investigations Report recorded over 10,000 breaches across 94 countries—and the common thread wasn’t company size. It was weak controls. Small companies often have fewer security resources, slower patch cycles, and aging infrastructure. In other words, they’re easier marks.
“Why rob a bank,” one ransomware gang leader quipped in an interview, “when small companies don’t even change the vault code?”
Myth #2: “Compliance means we’re secure.”
This one is trickier—because on the surface, it sounds responsible. You meet regulatory obligations. You pass audits. You fill out the checkboxes.
But here’s the uncomfortable truth: compliance ≠ security.
According to the same Verizon report, even in highly regulated industries, the median time to patch 50% of critical vulnerabilities is still 55 days. That’s nearly two months of open season for attackers who are scanning for known weaknesses.
Compliance frameworks are important. But they’re designed for accountability—not real-time protection. A company can pass its compliance audit and still be days away from disaster.
Myth #3: “Cyber insurance will cover it.”
Here’s where many execs get a false sense of safety. Yes, insurance is a smart part of your cyber strategy. But too many assume it’s a financial get-out-of-jail-free card.
It’s not.
Most modern cyber policies come with strict exclusions—particularly around basic hygiene. If your systems weren’t patched, your MFA wasn’t enforced, or your backups weren’t tested? Your claim might be denied. And even when coverage kicks in, business interruption caps often fall far short of total loss.
I once reviewed a policy where ransomware cleanup was covered—but the $2.5 million in lost revenue from a 12-day outage? Not a dime reimbursed.
Snapshot: From Myth to Monday Action
-
Myth: “We’re too small to be a target.”
- Red Flag: No recent backup test; recovery plan assumes “it’ll just work.”
- Ask Your Team: “When did we last run a full restore from backup—and did it actually work?”
Quick Win? Agree on backup recovery test deadline for one most critical system. Shoot an email to your CIO now.
-
Myth: “Compliance = security.”
- Red Flag: Audit-driven patching; no real-time risk metrics.
- Ask Your Team: “How quickly do we patch our top 10 vulnerabilities?”
-
Myth: “Cyber insurance will cover the damage.”
- Red Flag: No legal review of policy exclusions; untested backup plans.
- Ask Your Team: “When did we last rehearse our ransomware response?”
Myth believed is the risk un-managed. Challenge each one in your next risk committee meeting—and don’t leave the room without a next step.
Your 90-Day Resilience Sprint
What if your breach story ended in a single Slack message?
“Blocked. No impact.”
That’s the outcome we want. Not headlines, not recovery plans. Just a near miss. And the difference between that and a front-page crisis? It’s not a bigger budget. It’s execution—in 90 days.
If you’re a board member or executive, you don’t need every technical detail. But you do need to know three things are happening now, not in next year’s roadmap.
Here’s your fast lane.
The Sprint: Three Executable Priorities
These aren’t theory. They’re battle-tested plays you can drive into execution with one meeting, one budget unlock, and one weekly check-in.
1. Lock Down Identity (Weeks 1–4)
Goal: No one logs in without strong proof.
- Enforce MFA on every account—yes, even interns.
- Admins get hardware tokens or passkeys.
- Kill legacy protocols (e.g. IMAP, SMBv1) that bypass modern auth.
Why it matters: Over 80% of breaches start with stolen or weak credentials. This closes the front door—fast.
2. See Every Asset (Weeks 2–6)
Goal: No more “unknown unknowns.”
- Run passive discovery on your internal network and cloud services.
- Inventory third-party apps, VPNs, forgotten SaaS, exposed test servers.
- Tag anything externally accessible or storing sensitive data.
Why it matters: If you can’t see it, you can’t secure it. Most breaches exploit shadow IT or orphaned systems.
3. Patch by Risk, Not Routine (Weeks 3–12)
Goal: Critical systems can’t stay exposed.
- Prioritize: internet-facing, admin-access, or business-critical = patch in 7 days.
- Tie patch cycles to ops calendars to avoid surprises.
- Track progress visibly—one dashboard, updated weekly.
Why it matters: 55 days is the industry median to patch 50% of critical vulns. That’s attacker paradise.
A Simpler Way to Track It All
You don’t need a new platform to drive this. Just a shared tracker with:
- Owner
- Start Date
- Blockers
- Status (Red / Amber / Green)
Ask your CIO or CISO to walk the board through it every other Friday. The right version fits on one slide.
Your move?
The breach story you never hear about? That’s the one where security leadership had 90 days, clear ownership, and your backing.
Make sure three questions get answered this week:
- Who owns MFA enforcement, and when is rollout done?
- Do we have a complete, current asset inventory?
- What’s our patch SLA for critical systems—and are we hitting it?
Measuring Success Without Vanity Metrics
If the only thing you track is blocked attacks, you’re measuring the weather—not the climate.
A spike in alerts? Could be noise. A drop in incidents? Could be luck. What leaders need isn’t a feel-good number—it’s a trusted scoreboard that reflects real risk posture.
And here’s the trick: the best metrics aren’t flashy. They’re boring, baseline, and brutally revealing. But they give you what matters most—trend visibility and accountability.
Let’s walk through the five metrics your board should care about, and why they’re the opposite of vanity.
The Five That Matter
-
Median Time to Patch Critical CVEs (days)
CVE, which stands for Common Vulnerabilities and Exposures, is a publicly accessible list of known security vulnerabilities in software and hardware.
- Why it matters: The longer a known vulnerability stays open, the greater the window for attack.
- Watch for: Anything over 7 days on external-facing or privileged systems is unacceptable.
-
MFA Coverage (% of workforce)
- Why it matters: MFA is still the cheapest, most effective block against credential-based attacks.
- Watch for: Any user segment (contractors, interns, SaaS logins) excluded from rollout.
-
Mean Time to Detect (MTTD)
MTTD, or Mean Time to Detect, is the average time it takes for a team or system to discover a security incident or fault.
- Why it matters: If it takes you a week to notice something’s wrong, the damage is already done.
- Watch for: Inflated “average” numbers—ask for median detection times by attack type.
-
High-Risk Third-Party Exposure (# of vendors without completed security questionnaires)
- Why it matters: Attackers often go through your weakest link—and that’s usually a vendor.
- Watch for: Shadow IT and unmanaged SaaS platforms without any vendor due diligence.
-
Tabletop Exercise Frequency (per year)
- Why it matters: Simulations surface gaps you don’t want to find mid-crisis.
- Watch for: Exercises that don’t include business leaders—crisis is cross-functional.
Making Metrics Work
These aren’t “set and forget” numbers. You need to report them consistently, update them quarterly, and tie them to actual business decisions.
A simple color-coded dashboard (Red / Amber / Green) can help your board stay grounded:
| Metric | 🔴 Red | 🟠 Amber | 🟢 Green |
|---|---|---|---|
| Patch Time (Critical CVEs) | >14 days | 7–14 days | ≤7 days |
| MFA Coverage | <80% | 80–95% | 95–100% |
| Mean Time to Detect (MTTD) | >7 days | 2–7 days | <2 days |
| 3rd-Party Exposure (Unvetted) | >10 vendors | 4–10 vendors | 0–3 vendors |
| Tabletop Exercises (per year) | 0–1 | 2 | 3+ |
Even better? Publish this in every board pack. No fluff. Just these five.
Start Tracking Those Now
Good security isn’t invisible—it’s measurable. Commit to tracking and publishing these five metrics starting this quarter. If your team can’t produce them today, that’s your first red flag.
Monday-Morning Move
You’ve seen the risk. You’ve heard the myths. You’ve got a sprint plan—and a scoreboard.
Now what?
If you’re an executive who wants to lead from the front, not follow from the fallout, take 15 minutes today. That’s all it takes to start turning strategy into motion.
Here’s your Monday-morning move:
-
Forward this post to your CFO and CISO
- Highlight the “Three Myths” section. Ask them which one most applies to your company—and what you’re doing about it.
-
Book a 30-minute meeting this week
- Just one. The goal? Decide which of the three 90-day sprint priorities to fund and track first. One owner. One deadline.
-
Add the Five Metrics to Your Dashboard Template
- You don’t need all the data today—but if you can’t start tracking, that’s your first gap. Ask your team to build the baseline by quarter’s end.
Act on these three steps and by next quarter your cyber programme will be moving from reactive to resilient.
Sources
