how secure are we?

in 2025, the industry is still grappling with an age-old question: “How secure are we?”

Information security

How Secure Are We? Why the Cybersecurity Metrics We Use May Be Missing the Point

Barak Klinghofer April 10, 2025

By Barak Klinghofer, CEO & Co-Founder, Reclaim Security

Growing up with MacGyver and The A-Team, I learned to value ingenuity and resourcefulness—lessons that have stuck with me through two decades in cybersecurity. But in 2025, the industry is still grappling with an age-old question: “How secure are we?”

It sounds simple. It’s not. And answering it wrong—or with incomplete data—can be more dangerous than not answering it at all.

The Evolution of Cybersecurity Metrics

Over the years, the way organizations measure their cybersecurity posture has shifted dramatically:

  • The Compliance Era (1990s–2000s): If the audit checklist was complete—ISO 27001, HIPAA, etc.—you were “secure.”
  • The Vulnerability Phase (2000s–2010s): The focus turned to CVEs, patching cycles, and remediation time. More technical, but still missing context.
  • The Risk Management Shift (2010s): Risk scores helped align security with business impact. But much remained theoretical.
  • The Exposure Management Era (Now): Today’s leading teams combine technical telemetry with business context to reduce real risk.

Despite these advancements, most security teams still struggle with delivering a confident answer to the board’s question: How secure are we, really?

Why Measuring Security Is Still So Difficult

1. We Prioritize What’s Measurable, Not What Matters

Consider a global financial institution with stellar compliance and patch metrics. Yet, during a red team exercise, attackers leveraged “low-severity” misconfigurations to exfiltrate customer data in under 48 hours.

The breach wasn’t due to a zero-day. It was the result of misplaced confidence in misleading metrics.

2. Security Is Dynamic, But Assessments Are Static

Security assessments often offer a point-in-time snapshot. But business environments are constantly changing. A single cloud rollout can rapidly and drastically alter a company’s risk landscape.

According to Ponemon’s 2023 report, 78% of organizations cite visibility during change as their top challenge.

The Business Impact of Incomplete Cybersecurity Metrics

Bad metrics don’t just mislead—they cost money, time, and trust:

  • Misaligned Investments: Buying new tools instead of fixing misconfigurations.
  • False Confidence: Gartner predicts that through 2027, 99% of cloud breaches will stem from preventable misconfigurations.
  • Tool Sprawl: IBM reports enterprises use 76 security tools on average, yet 69% of leaders say risk is rising.
  • Communication Gaps: Without meaningful data, justifying security budgets becomes nearly impossible.

What Forward-Thinking Teams Are Doing Differently

Rather than measuring everything, leading teams focus on measuring what actually matters:

✅ Threat-Informed Defense

Use MITRE ATT&CK and threat modeling to prioritize based on what adversaries are actually doing—not hypothetical risks.

✅ Business-Aware Exposure Management

Don’t just chase CVSS scores. Prioritize based on business impact and critical asset exposure.

✅ Continuous Validation

Replace quarterly reports with real-time validation of controls. Tools that verify whether your defenses are working now—not just during the last audit—are critical.

✅ Focus on Configuration, Not Tool Quantity

It’s not about how many tools you have, but how well they’re configured. Microsoft’s 2023 Digital Defense Report found that proper configuration and hygiene can stop 98% of threats.

Ask Yourself These Security Maturity Questions

  1. If the board asked for one metric, what would you choose?
  2. Are your tools actually blocking real-world threats?
  3. Can you detect posture deterioration in real time?
  4. Are your controls improving productivity—or harming it?
  5. How many incidents could have been prevented with better configuration?

Final Thoughts: Mindset Over Dashboards

The question “How secure are we?” may never have a perfect answer. But the teams getting closest aren’t buying more tools—they’re making better use of what they already have.

In the spirit of MacGyver and The A-Team, today’s best defenders are resourceful, context-aware, and relentlessly focused on clarity over quantity. That mindset may not come with a theme song—but it sure delivers results.

About Reclaim Security
Reclaim Security helps security teams fix misconfigurations, enforce optimal security policies, and reduce risk—automatically and without disrupting the business.
Follow us on LinkedIn to stay ahead of what’s next in exposure remediation.

Originally posted on LinkedIn