What You Should Really Measure in Cybersecurity (and What You Shouldn’t)

To recap, the topics that have consistently surfaced so far are hardening, ransomware, drift, control, and tool fragmentation. And if all these topics point to a single conclusion, it is this: having tools does not necessarily mean having control, and having control does not automatically guarantee an understanding of the real level of risk an organization is exposed to.

One of the most common problems across the industry is that many companies continue measuring activity instead of actual risk reduction. A simple question is enough to expose this issue: “How do you know you are more secure today than you were six months ago?” In many cases, the answers focus on having more deployed tools, processing more alerts, closing more tickets, or detecting more events. However, none of those metrics alone confirms that the environment is truly more secure.

The problem is that, in many organizations, security dashboards end up becoming enormous panels filled with graphs, events, and constant alerts. Everything appears active all the time, yet it still becomes difficult to answer a fundamental question: what is the organization’s real exposure level today?

The situation can be understood through a simple analogy. It is like taking a car to a repair shop and receiving a report where the mechanic explains that several sensors were checked, alerts were detected, and multiple events were processed. Even though all that information sounds technical and detailed, the real question remains: “Is the vehicle actually fine or not?” Cybersecurity often works the same way. There are enormous amounts of technical metrics, but many times they fail to translate into useful information that helps explain the real state of the environment.

One of the most common mistakes is confusing volume with effectiveness. More alerts do not mean more security. More dashboards do not automatically provide more control. Adding more tools does not guarantee lower risk either. In fact, the opposite often happens: more data generates more noise, noise reduces visibility, and lack of visibility makes decision-making more difficult.

Another important issue is that many organizations still evaluate security primarily through incidents, detected attacks, or response times. Although these indicators have value, they share an important limitation: all of these metrics appear after impact has already occurred. In other words, they measure consequences, not necessarily the level of exposure that existed beforehand.

This is why the conversation needs to shift. Instead of focusing exclusively on activity or incidents, organizations should measure their actual security posture by understanding how controlled the environment truly is.

Within that context, much more valuable questions begin to matter. For example, how many endpoints remain aligned with the established security baseline. If hardening begins to degrade, risk increases even when no visible alerts exist. It is also essential to understand how many users maintain excessive administrative privileges, since these types of permissions facilitate lateral movement, malware execution, and ransomware propagation.

Another important aspect is understanding how many remote tools exist inside the environment and, more importantly, whether they are properly governed. The same applies to exposed remote services. RDP remains one of the most exploited attack vectors, yet many organizations still do not know how many endpoints have it enabled.

Drift also becomes a critical signal. Not from a theoretical perspective, but by observing what is actually happening in production environments. Accumulated drift is often one of the clearest indicators of operational control loss because it reflects how the environment gradually moves away from the secure configuration originally defined.

All of this forces organizations to rethink the primary question. The discussion should no longer focus only on how many threats are detected, but rather on how exposed the environment truly is.

In Latin America, this becomes even more important. Security teams are often small, tools are fragmented, and operational pressure is constant. In that context, organizations need metrics that support fast and actionable decision-making, not dashboards that are impossible to interpret.

There is also another very common issue: vanity metrics. These are metrics that continue to exist simply because they look impressive in reports or presentations, even though they provide little operational value. The number of logs, processed events, or generated alerts may appear visually impactful, but that does not mean they are helping reduce risk.

A truly valuable metric should help answer practical questions such as where exposure is highest, which areas are losing control, what requires immediate correction, and whether the environment is improving or degrading over time. If a metric does not support decision-making, it usually becomes noise.

The situation can also be compared to a medical scenario. Imagine receiving hundreds of pages filled with medical results and clinical data without getting a simple answer to the most important question: “Am I healthy or not?” There is an overwhelming amount of available information, but very little ability to transform it into operational clarity.

Ultimately, organizations do not need more dashboards. They need context. They do not require more alerts, but rather a deeper understanding of their actual exposure. They also do not need more complexity, but greater operational clarity to prioritize and act effectively.

When all these concepts are connected, the relationship becomes obvious. Hardening defines the secure state of the environment. Drift explains how that state gradually degrades. Ransomware takes advantage of that exposure. Control maintains operational alignment. And metrics make it possible to understand whether control is actually being lost over time.

In cybersecurity, measuring activity is relatively easy. What is truly difficult is measuring real control, consistency, exposure, and operational degradation. The important thing is not only how much visibility exists, but whether the organization genuinely understands the current state of its environment.