The cybersecurity industry loves metrics.
Organizations proudly report how many tools they have purchased, how many scans they have run, and how many dashboards they maintain. Vendors highlight adoption numbers and deployment statistics. Boards receive colorful presentations showing expanding security programs and growing investments.
Yet many organizations remain just as vulnerable as ever.
During a recent CYBR.SEC.CAST appearance, cybersecurity pioneer and former Veracode CTO Chris Wysopal highlighted a problem that many security leaders quietly recognize: buying security technology does not automatically improve security. In fact, some organizations are investing heavily in tools they barely use.
The industry has become remarkably good at measuring activity. It is often much less effective at measuring outcomes.
Check out the full episode and related article:


Security Theater Has Gone Digital
Wysopal recalled an early conversation with a customer who enthusiastically praised Veracode's software despite never having actually used it.
The customer liked being able to say the company had invested in application security. The purchase itself signaled concern about security, even if no scans had been performed and no vulnerabilities had been addressed.
That story illustrates a broader industry problem.
Many organizations treat security purchases as evidence of maturity. The acquisition of a tool becomes the goal rather than the reduction of risk.
This phenomenon is not limited to application security.
Security leaders frequently encounter environments where organizations deploy vulnerability scanners, endpoint tools, cloud security platforms, exposure management solutions, and identity products without fully integrating them into operational workflows. Reports are generated. Findings are cataloged. Risks are documented.
But remediation never becomes a sustained priority.
The result is a growing collection of security data without a corresponding reduction in exposure.
Enumerating Risk Isn't Managing Risk
One of the most revealing moments in the conversation centered on a common AppSec practice.
Organizations run an application security scan. The scan identifies vulnerabilities. Reports are generated. Findings are documented.
Then nothing happens.
The vulnerabilities are not fixed. Applications are not rescanned. Teams cannot even determine whether risk levels improved because no validation occurs. As Wysopal noted, many organizations are simply enumerating risk rather than managing it.
That observation extends far beyond AppSec.
Modern enterprises collect enormous amounts of security telemetry. Vulnerability management programs track thousands of findings. Exposure management platforms identify attack paths. Threat intelligence feeds generate continuous alerts.
Yet many security teams remain overwhelmed by remediation backlogs.
The challenge is no longer discovering risk. The challenge is acting on it.
This distinction matters because boards and executives often assume visibility equals security. It does not.
Visibility only creates the opportunity to improve security. Without remediation, prioritization, validation, and continuous improvement, visibility becomes little more than documentation.
Measuring Outcomes Instead of Activity
Ironically, vendors often dislike shelfware as much as customers should.
Contrary to the stereotype that vendors simply want subscription revenue, Wysopal noted that successful customers are more likely to renew because they can demonstrate measurable reductions in risk. Organizations that integrate tools into operational processes and achieve tangible security outcomes become long-term customers.
That insight points toward a healthier way of evaluating security programs.
Instead of asking how many tools have been purchased, organizations should ask:
- How much risk was eliminated?
- How quickly are critical vulnerabilities remediated?
- How often are fixes validated?
- How much attack surface has been reduced?
- How many findings remain unresolved?
These questions focus on outcomes rather than activity.
As cybersecurity programs mature, this distinction becomes increasingly important. Security leaders face growing pressure to justify spending while simultaneously managing expanding attack surfaces, AI-driven threats, and resource constraints.
In that environment, organizations can no longer afford security programs that merely generate reports.
The future belongs to programs that translate visibility into action and investment into measurable risk reduction. The tools matter. But what organizations do with those tools matters far more.

