Why is zero breach an awful way to measure a CISO's effectiveness?

421 views3 Comments

CTO in Software, 11 - 50 employees

Was the breach material? What was the extrinsic and intrinsic cost of the breach?

Did the CISO have the support of the C-Suite and Board, or were they the scapegoat?
Director in Finance (non-banking), 10,001+ employees
A CISO exists to enable secure business. If the only thing that matters is preventing a breach the ciso should do everything in his or her power to prevent risk, regardless of business impact, and would be incented to hide discovery of weaknesses or compromise.
Senior Information Security Manager in Software, 501 - 1,000 employees
Think of going to your doctor for a regular checkup. Doctor checks your BMI; it is 20 and sends you home. That would be a terrible approach to healthcare.

To use a single indicator for overall health. So too here – the lack of a breach means nothing without context.  In addition, there are at least 20 significant other indicators that are equally  meaningful and significant.

Content you might like

Strongly Agree10%


Neither Agree nor Disagree16%


Strongly Disagree5%



Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
61.9k views60 Upvotes36 Comments