Presenters:
This talk argues that security programs fail because they optimize for activity instead of outcomes. Teams are busy—scanning, patching, monitoring—but not necessarily reducing real risk in a measurable way.
Key takeaways
- Activity ≠ risk reduction
- More scans, alerts, and reports don’t mean you’re safer
- Teams measure what’s easy (tickets closed, vulns patched)
- But not what matters (actual exposure reduced)
- Metrics are misleading
- KPIs often track volume and speed
- Not effectiveness or impact
- This creates a false sense of progress
- Security work isn’t tied to outcomes
- Efforts aren’t mapped to business or operational risk
- Teams can’t clearly show how their work reduces real-world impact
- Leadership doesn’t get a clear picture of value
- Prioritization breaks down without outcome focus
- Everything looks important
- Work gets spread thin across low- and high-impact issues
- Critical risks don’t get the attention they need
- Programs need outcome-driven thinking
- What risk did we actually reduce?
- What attack paths did we eliminate?
- What business impact did we prevent?
