Security metrics fail because we count what's easy, not what matters. Here are 10 ambitious metrics that actually drive outcomes - like software reproducibility percentage or time to reboot your entire company from bare metal.
Security metrics are stuck in a trap: we measure what's easy to count instead of what actually matters. Most organizations track vanity metrics - vulnerability counts, patch rates, compliance checkboxes - while missing the fundamental signals that predict whether they'll survive a real attack. The hard truth is that meaningful security metrics look like failure when you first measure them, which is exactly why most teams avoid them.
Take software reproducibility: what percentage of your entire software stack can be rebuilt through a CI/CD pipeline? If you're a tech company, you might hit 80%. Most organizations are at 10-20%. That gap explains why patching takes forever and why vulnerability remediation is incomplete. Or consider the time to reboot your entire company - if everything gets wiped by ransomware, how long to rebuild from bare metal and immutable backups? Most organizations can't answer this at all. The ones that can measure it have gone from weeks to days to hours, and they can put actual dollar costs on each improvement.
The article lays out ten metrics like these: infrastructure reproducibility, SLSA levels across your software supply chain, blast radius by role, systems stagnancy, the OODA loop spread between you and your attackers. Each one is genuinely difficult to measure. But the act of measuring forces you to fix the underlying problems - missing catalogs, unknown dependencies, privilege sprawl. These aren't metrics to drive to 100%. They're metrics where you consciously choose your risk appetite and then track whether you're meeting it.
The pushback is predictable: boards and executives won't understand these metrics. But that's a cop-out. Boards of banks understand value at risk and stressed capital ratios. Energy company boards understand safety metrics. They learn because those metrics matter and because teams educate them consistently. Security needs to demand the same level of sophistication instead of dumbing down to traffic light dashboards. The education itself has value - when leadership understands why software reproducibility matters, they fund the modernization that brings commercial benefits beyond just security.
Check out the full stdlib collection for more frameworks, templates, and guides to accelerate your technical leadership journey.