The Challenges
The common challenges that teams are facing in their operating model
The lack of business ownership
The cybersecurity tool stack can be a complex one. Security teams need cyber controls and data on people, technology, and processes to effectively prioritize risk and stay ahead of the curve.
To achieve this, you need to know what needs protecting, who needs to do what, and why they need to do the work to prioritize. Progress needs to be continuously monitored.
Yet the need for this clear ownership and actionability in a company’s cybersecurity posture can’t match the speed of advancing tech. Complex, highly regulated organizations are bottlenecked, and when they truly come round to getting a sense of their attack surface, often it's too late.
The numerator and denominator dilemma
Teams can typically have over 50 different cyber security tools. Each tool knows where they are, but doesn’t know where they aren’t, or where they should be. Each presents an accurate numerator and an inaccurate denominator. We call this an ‘unreliable witness’.
Cybersecurity metrics often highlight the number of assets covered by a tool (the numerator) but lack visibility into the total population that should be covered (the denominator). For example, a patching tool may report 5,000 compliant servers, but without knowing the total server count, it is impossible to determine true coverage. This gap undermines confidence in reporting and obscures real risks.
Misaligned reporting across stakeholders
Different groups: control owners, security leadership, auditors, and regulators, each have their own lens on cybersecurity performance. These views are often derived from siloed data, leading to conflicting conclusions.
A control owner may see success in tool compliance, while an executive observes gaps in business outcomes. Regulators and auditors, in turn, see incomplete or inconsistent evidence. The result is a fractured narrative that diminishes trust.