惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
MyScale Blog
MyScale Blog
Jina AI
Jina AI
爱范儿
爱范儿
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
I
Intezer
The Cloudflare Blog
T
Threat Research - Cisco Blogs
G
Google Developers Blog
Stack Overflow Blog
Stack Overflow Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Docker
AI
AI
Scott Helme
Scott Helme
Attack and Defense Labs
Attack and Defense Labs
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
Recent Announcements
Recent Announcements
Security Latest
Security Latest
Hugging Face - Blog
Hugging Face - Blog
W
WeLiveSecurity
Last Week in AI
Last Week in AI
Security Archives - TechRepublic
Security Archives - TechRepublic
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Proofpoint News Feed
S
Securelist
S
Security Affairs
Project Zero
Project Zero
博客园 - 叶小钗
Google DeepMind News
Google DeepMind News
T
Tor Project blog
A
About on SuperTechFans
V2EX - 技术
V2EX - 技术
宝玉的分享
宝玉的分享
T
Tenable Blog
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
Simon Willison's Weblog
Simon Willison's Weblog
Forbes - Security
Forbes - Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
V2EX
AWS News Blog
AWS News Blog
The GitHub Blog
The GitHub Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Privacy & Cybersecurity Law Blog
阮一峰的网络日志
阮一峰的网络日志
I
InfoQ
C
CXSECURITY Database RSS Feed - CXSecurity.com
H
Hacker News: Front Page
美团技术团队

IDC

IDC On the Ground: Inside GITEX AI Europe 2026's Race to Build Sovereign AI Infrastructure IDC Quanta Launch: The 3-Minute Recap The strategy behind today's launch Dashboards Are Dead: The Future of Business Intelligence Lives in the Workflow Introducing IDC Quanta: The Intelligence Fabric of the AI-Enabled Enterprise How Wearables and AI Will Reshape Healthcare Who operates your meeting rooms now: AV, IT, or an AI agent? Beyond Check-the-Box: Choosing a Security Framework for the AI and Quantum Era DX Software in Transition: AI Investment Trends by Sector Japan's AI Supercycle Is Here — Are You Ready to Lead It? From Wait-and-See to All-In: How SMBs Are Rewriting Their AI Story Your AI Platform Knows the Market. Does It Know Your Business, and Can You Trust It with Your Strategy? Start Here: Six Best Practices for Foundational AI Training Physical AI and Robotics Take Center Stage at Computex Taipei 2026 for Semiconductor Vendors Trump's Quantum EO: What It Means for the U.S. Market The sovereignty conversation vendors need to have - but rarely do Q&A: Your Pipeline Conversion Questions, Answered by IDC Analysts The Intelligence Gap Is Widening. Here's What the Data Says. Anthropic, Trump, and Fable 5: The Dispute That Makes the Case for Frontier AI Studies IDC Quanta: The Next Era of Tech Intelligence The $22.5 Trillion AI Opportunity Why the memory market is still tight: what comes next Indonesia PC Market Grows 9.4% in Q1 2026 Despite Component Pressures But Headwinds Are Building The Dawn of Just-in-Time Software Agent Supplier or Featureware: The Choice Every SaaS Vendor Faces Now SpaceX, Cursor, and the Race to Build the Best Coding LLM in the World NVIDIA Becomes #1 in Datacenter Ethernet Switching as 1Q26 Market Surges 39.8% to $15.4 Billion Wi-Fi 7 Captures 44% of Enterprise WLAN Dependent Access Point Revenue as 1Q26 Market Grows 15.9% to Nearly $2.7 Billion AI Is Ready. Enterprises Are Not. Vendors Need to Fix It. Smart Glasses Surge: The XR Market Is Rewriting Its Own Rules WWDC 2026: Apple’s AI Credibility Test AI Is Making MSPs More Efficient. Here’s How to Share in the Gains. The Dark Funnel: How Answer Engine Optimization is Reshaping B2B Brand Visibility Agentic AI Is Breaking Your ROI Model. Here’s How to Fix It When the Question Can’t Wait: How Kyndryl Delivers Enterprise Intelligence at Speed Why the Grey Market Won’t Disappear in the Middle East and Africa: The Case of Notebooks Print, AI, and the expanded buying committee: highlights from IDC’s Print Executive Dinner in London AI in telecommunications: Why it is becoming an infrastructure priority Do AI Markets Face a Circular Financing Problem? Enterprise Applications Will Determine the Answer. From AI pilots to business value: what EMEA digital leaders are doing differently in 2026 Why India’s PC Market Surged 31.1% in Q1 2026 and What Comes Next PC Market Enters Volatile Territory as Memory Shortage Persists Through 2027 Agentic AI Ecosystems: Navigating the Megatrend That’s Reshaping Enterprise Technology Markets Leaning into disruption: How Perficient delivers real outcomes in an AI-first world Google’s Fitbit Air and Google Health: The Software Platform Play That Matters More Than the Hardware Why Fast and Trustworthy Aren’t Mutually Exclusive in AI Research The Middle East Conflict Just Rewrote the Rules of Business Continuity Ecosystem strategy in 2026: turning AI disruption into partner-led growth Worldwide Smartphone Market to Decline 13.9% in 2026 as Memory Crisis and US-Iran War Constrain Growth The AI Supercycle Has Started. Where Does Asia/Pacific Stand? Devices at Google I/O 2026: Android XR Glasses, Googlebooks, and Gemini Intelligence Why Research Alone Isn’t Enough: The Delivery Problem No One Is Talking About Digital Accessibility in the Workplace: From Compliance to Competitive Advantage When Pinocchio Became a Real Boy: Security Platforms Have Grown Up Plotting a Future-Proof Course: How The Resorts Companies Turned a Decade of IDC Partnership into a Competitive Edge European CISO priorities in 2026: AI agents, platformization, and sovereignty Why IDC Directions Is Coming to Hangzhou — and Why You Should Be There Telcos’ Next AI Revenue Play: Monetizing Orchestrated Digital Infrastructure The Workforce Skills Gap That AI Can’t Solve for Itself The Agent Takeover: What Happens When AI Becomes the Primary User of Enterprise Software The AI Answer Gap: Why Fast Answers and Defensible Ones Are No Longer the Same Thing The Market Every Western Executive Should Be Watching. IDC’s CEO Already Is. Ecosystem Strategy in 2026: Why AI Is Rewriting Partner-Led Growth Anthropic, SpaceXAI, and the New Compute Race in AI Navigating a Market Where the Wrong Bet Has Real Consequences Renuka Drummond Named Top 10 Corporate Counsel Worldwide by OnCon Icon Awards From Labor Arbitrage to Platform-Led Outcomes: How Agentic AI Is Rewriting the IT Services Playbook EMEA IT Market 2026 – Q2 Updates: 5 Key Takeaways on AI, IT Spending and Market Trends Japan’s AI Infrastructure Market Is Heading for ¥1 Trillion and Here Is What Comes Next Asia Pacific IT Spending Outlook 2026: How the Middle East War Is Reshaping IT Budgets From Digital Access to Accessibility with AI Enablement From Cost Optimization to Continuity: What IT Buyers Need Now and How Suppliers Must Respond AI as an Organizational Stress Test: What Will Break First in Your Operating Model? Japan’s ¥2.1 Trillion IT Modernization Wave: The Race Has Already Begun Semiconductor Market to Surge Past the Trillion-Dollar Threshold: AI Infrastructure Drives Market Growth Most AI Investments Don’t Deliver Value – Here’s What EMEA Leaders Are Missing Hannover Messe 2026: 7 Insights and 3 Pieces of Advice on Industrial AI, Manufacturing, and the Future of the Factory IDC Directions 2026: The AI Conversation Has Shifted. Here’s How to Catch Up. Coding by Prompt Is Coming to Your Business Units: What CIOs Should Do Next FutureScape 2026: Building Trust, Resilience, and Prosperity in the Agentic Future FutureScape 2026: Charting the Path to Enterprise-Wide Orchestration From Task Execution to Value Creation: What the 2026 Humanoid Robot Half Marathon Reveals About Industry Progress Europe’s AI Story Has a New Problem: It’s Actually Working AI Infrastructure Spending Caps Historic Year at ~$90 Billion in Q4 2025; 2029 Spending to Eclipse $1 Trillion Digital Sovereignty: Why “Sovereign” Is No Longer Enough FutureScape 2026: Navigating the Crosscurrents of Disruption Huawei and Apple Support China Smartphone Market Resilience as Shipments Decline 3.3% in Q1 2026 The Dirty Secret of AI in ITSM: Why Bad Data Wins Every Time Wholesale telecommunications: How platform models are reshaping the market Beyond LLMs: Why AI Strategy Now Requires Multi-Model, Multimodal, and Multi-Agent Architectures It’s a Data Thing: Retail and Restaurant AI Investments Will Miss the Mark if Not Led by Data Modernization Inference to Overtake Training by 2027 – Why Japanese First Movers Are Betting on Sovereign AI Infrastructure The productivity plateau: Why efficiency gains no longer differentiate Why I’m Excited about IDC Directions 2026 GTC 2026: Workstations enter the sidetop era Dispelling the myth of a silver bullet in sovereign AI MacBook Neo: Apple’s strategic play to disrupt the PC market AI sovereignty risk: A five-step agenda for CIOs Data pricing for AI is being negotiated without a stable model From cyber risk to business risk: How CISOs should engage the board in 2026
Beyond the Data Dump: Why Cybersecurity Metrics Are Failing, and How AI Fixes It
Philip D. Harris, CISSP, CCSK · 2026-07-01 · via IDC

Organizations worldwide are failing to deliver cybersecurity metrics that serve their boards, executives, and operational teams, and the emergence of AI has widened that gap significantly. Cyber risk has risen from an operational concern to an existential business risk. Ransomware attacks have shut down companies outright. Regulatory frameworks, including DORA, NIS2, and SEC disclosure rules, now hold boards directly accountable for risk and compliance posture. The stakes have never been higher, yet the tools used to communicate cybersecurity health remain fundamentally misaligned with the audiences that need to act on them.

Just as revenue and expense data flows across every level of an organization, cybersecurity risk intelligence must reach operations, management, and governance audiences, calibrated to each. The message appropriate for a security operations team is not the message appropriate for a board of directors.

More importantly, many CISOs do not know how to communicate with executives and board members, and executives and board members do not know what they want from CISOs. CISOs want to discuss in cybersecurity terms, but executives and board members really only understand business, revenue (dollars), and resilience, and they don’t understand cybersecurity. This data-driven cybersecurity metrics framework was written specifically to deal with that problem in a way that lets the CISO, executives, and board members communicate in a language both understand.

Why cybersecurity metrics are misunderstood

Cybersecurity matured in reverse. Unlike most disciplines that flow from strategy to goals to policies to tactics, cybersecurity built itself from the bottom up: tactics first, strategy last, if ever. The consequences of that legacy persist today:

  • Formal strategy is largely an accumulation of small tactical decisions made over decades, never designed for governance audiences.
  • Boards are routinely presented with operational metrics — firewall blocks, vulnerability counts, patch rates — that were never built for governance consumption.
  • Regulatory pressure is accelerating the problem: governments worldwide now hold executives and boards directly accountable for risk and compliance posture.
  • The result is a persistent, structurally embedded mismatch between what cybersecurity teams can easily produce and what governance audiences actually need.

Why executive and board meetings fail to communicate cyber risk

Boards govern. Executives strategize. Neither runs day-to-day operations. Yet most cybersecurity presentations treat them as if they do:

  • Executives lack deep cybersecurity domain expertise by design; their role is strategic governance, not running a security operations center.
  • When metrics are misaligned, board meetings devolve into data dumps, forcing executives to decode technical minutiae rather than engage in meaningful risk dialogue. A single DLP block statistic can consume an hour of board time with no actionable outcome.
  • CISOs typically rise through technical security leadership, not business management, limiting their experience translating risk into the language of business strategy.
  • Board-level cybersecurity accountability is a relatively recent demand, driven by the ransomware pandemic rather than strategic planning. There is no established playbook; most CISOs learned by trial and error.
  • The result: CISOs default to presenting what they have — operational metrics — and boards are left searching for the risk signal buried in the technical noise.

Why traditional metrics failed everyone

The failure wasn’t malicious. It was structural. Both sides operated in good faith with the wrong tools:

  • Metrics were built from available data, not from audience needs. Current metrics are often fragmented across multiple repositories and formats, making collection laborious and time-consuming.
  • What existed was appropriate for operations management — rarely in a form useful for executive decision-making.
  • Noncompliance rates, firewall blocks, and vulnerability scan results are tactical measures with no clear call to action at the executive level.
  • Management asked, “Are we OK?” and received patching statistics in response: a fundamental mismatch between the question asked and the answer provided.
  • Tactical metrics aid day-to-day program management but lack the context and comprehensiveness required for strategic leadership. Without a centralized intelligence platform, this gap cannot be closed.

How AI has changed the metrics imperative

AI has added two urgent, distinct dimensions to an already unsolved problem.

Offensive: AI as an adversarial weapon

  • Threat actors are weaponizing AI to generate convincing phishing campaigns at unprecedented scale.
  • Deepfake audio and video are being used to impersonate executives and manipulate internal decision-making.
  • AI accelerates vulnerability discovery, exploit development, and evasion of traditional detection controls.
  • The net effect: faster, higher-volume, more sophisticated attacks, with compressed detection and response windows.

Defensive: Ungoverned internal AI deployments

  • Organizations are embedding AI into products, services, and operational decisions at a pace that far outstrips governance and oversight controls.
  • Shadow AI, agentic AI, and SaaS-embedded AI are widely deployed and largely untracked.
  • This creates a new class of enterprise risk: model failures, hallucinated outputs influencing strategy, customer harm, and regulatory exposure.
  • Without AI-focused metrics at every organizational level, the gap between the questions executives are asking and the answers cybersecurity leaders can provide will only widen.

The qualities of data-driven metrics

Data-driven metrics must serve specific audiences, telling a coherent story calibrated to each stakeholder’s role, accountability, and risk exposure. Three tiers are required:

Governance (Board/C-Suite)Strategic risk oversight, compliance posture, AI governance status. 6–10 high-signal metrics organized across 4 IDC-defined categories.
Managerial (C-Suite/LOB/Ops Management) Program health, AI incident trends, shadow AI exposure, regulatory compliance progress. Both strategic and tactical in nature.
Operational (CISO/Functional Teams)Day-to-day control effectiveness, AI attack surface, shadow AI detection, hallucination monitoring, data protection. Essential for execution teams; too granular for boards.

Effective data-driven metrics share these qualities:

  • Audience-specific: Each tier receives only what is relevant to its function, accountability, and decision-making authority.
  • Outcome-driven: They measure progress toward defined business objectives, not activity volume.
  • Actionable: Every metric carries an implicit or explicit call to action, enabling informed, confident decisions.
  • Contextual: Risk is framed in financial, operational, or reputational terms, not technical jargon.
  • AI-inclusive: Every tier must now incorporate AI-specific risk intelligence alongside traditional cybersecurity metrics.

Elements to consider in crafting metrics

Building metrics that work requires a structured, iterative process anchored in business context, not available data.

  • Begin with the business: define key functions, processes, and associated risks before mapping them to cybersecurity priorities.
  • Engage stakeholders from IT, audit, legal, risk, compliance, BISOs, and senior executives to build consensus around what matters most.
  • Incorporate AI as both an internal operational risk (from the organization’s own deployments) and an external threat vector.
  • Expand the stakeholder group to include AI governance officers, AI product owners, and legal or privacy counsel with AI expertise.

  • Shape metrics collection around agreed risks, automating data sources through GRC platforms capable of generating audience-specific intelligence.
  • Treat AI systems as first-class data sources: model inventories, output logs, decision audit trails, and third-party AI component registries are required inputs alongside traditional telemetry.

  • Use automation and AI to analyze large volumes of contextual intelligence against the risk register, surfacing asset ownership gaps, CMDB inaccuracies, and emerging risks.
  • AI-generated analyses must be subject to human validation before informing decisions.
  • AI output accuracy should itself become a tracked and reported metric.

4. Interpret Results in Business Terms

  • Outcomes must be specific, measurable, and meaningful — for example, a DLP implementation should show users changing behavior, exfiltration declining, and residual risk being quantified.
  • When AI systems produce outcomes, interpretive frameworks must distinguish human-driven from AI-driven results and assess accuracy and fairness, not just control effectiveness.
  • AI-generated recommendations must never be treated as equivalent to validated analyst conclusions.

5. Consider the stakeholders

  • Manufacturing LOBs: focused on process uptime and network segmentation risks.
  • eCommerce LOBs: focused on application security and architecture risks.
  • AI-deploying LOBs: carry distinct AI-related cybersecurity risks requiring specific communication.
  • Expand the model to include AI product owners, data scientists, and AI governance officers wherever AI intersects cybersecurity risk.

6. Empower decision-making and monitor continuously

  • Cybersecurity leaders own the recommendation; the risk decision belongs to the business owner accountable for it. Their role is to build a story that lets decision owners act with confidence.
  • Monitor for model drift; schedule regular AI system reevaluation and retraining.
  • Continuously retire irrelevant risks and elevate newly emerging ones, including those introduced by evolving AI deployments.
  • Embed AI governance explicitly: model approval policies, mandatory preproduction risk assessments, human review standards for high-risk AI decisions, and AI incident management procedures are all required.

Want the full framework? Download the Beyond the Data Dump report for detailed metric specifications, audience-tier breakdowns, and IDC’s complete recommendations.

What is needed for data-driven metrics

Effective data-driven metrics communicate risk likelihood versus business impact. They go beyond statistics to deliver actionable insights supporting both strategic and tactical decision-making. Achieving this requires:

  • A centralized intelligence repository consolidating contextual business, IT, and cybersecurity data, including AI-specific signals, into a single, consistent source of truth.
  • Three metric tiers (governance, managerial, and operational) generated consistently over time from that single source.
  • AI-specific metrics at every tier: shadow AI detection, AI regulatory compliance posture, agentic AI governance, model IP protection, SaaS-embedded AI risk, and AI output integrity.
  • Automation, machine learning, orchestration, and AI to generate an ever-evolving set of metrics and adjacent risk insights.
  • Audience-specific dashboarding and stakeholder messaging that translates technical cybersecurity data into business risk language, calibrated to the level of accountability and required response.

The role of GRC platforms and intelligence fabric

Modern GRC platforms are uniquely positioned to close the metrics gap. By consolidating internal and external business, IT, and cybersecurity intelligence into a single repository, enhanced through automation, machine learning, and AI, they power consistent, audience-specific metrics at scale.

The intelligence fabric is the contextual data layer at the core of a modern GRC platform. It must enrich the risk register with:

  • Newly discovered assets and their sensitivity classifications
  • Potential data and asset ownership
  • Estimated monetary impact of risks and compliance issues
  • Contextual interpretation of risks against organizational policies

The fabric must now extend to AI-specific intelligence, organized by metric type so each audience sees the right signal at the right altitude:

1. Cybersecurity risk posture2. Compliance posture3. Program outcomes4. AI governance status

  • AI model inventories and ownership records
  • Shadow AI detection signals
  • AI output logs and decision audit trails
  • AI regulatory compliance mapping (EU AI Act, NIST AI RMF, and sector-specific requirements)

  • Single source of truth: Centralized GRC intelligence across cybersecurity, IT, and business functions.
  • Audience-specific dashboards: SOC views for operational teams; risk posture views for executives and boards.
  • Outcome-driven metrics: Actionable statistics, trends, and risk-driven insights tied to business objectives.
  • Targeted stakeholder messaging: Calibrated by audience and required response — for-your-information only, executive risk-based decision required, or action needed (e.g., budget approval).
  • Reduced human bias: AI-assisted analysis increases consistency and accuracy across the metrics program.

Advice for technology buyers and suppliers

A passing awareness of cybersecurity posture is no longer acceptable at any level of leadership. Buyers should:

  • Partner with a qualified cybersecurity GRC software provider experienced in collecting, analyzing, and generating audience-appropriate metrics aligned to this three-tier framework.
  • Ensure the platform consolidates contextual business, IT, and cybersecurity intelligence, internal and external, into a robust, integrated repository.
  • Demand at least three levels of metrics: governance (strategic), managerial (strategic and tactical), and operational (tactical), generated consistently over time from a single source.
  • Require AI-specific risk metrics across all three tiers: shadow AI detection, AI regulatory compliance posture, agentic AI governance, model IP protection, and SaaS-embedded AI risk.
  • Insist on automation, machine learning, and orchestration to generate an evolving metrics program that stays ahead of the threat and regulatory landscape.
  • Boards must be able to confirm: Are AI systems governed? Is AI risk being measured? Are AI incidents — regulatory actions, customer harm, reputational damage — being proactively managed and reported?

For the technology supplier and services provider

The market opportunity is clear, immediate, and structurally durable. Organizations at every level need current, audience-appropriate visibility into cybersecurity risk and compliance posture, and most lack the platforms, skills, and frameworks to deliver it. Suppliers should:

  • Build or extend GRC platforms with a consolidated intelligence repository that centralizes business, IT, and cybersecurity data to power consistent, audience-specific metrics at scale.
  • Deliver all three metric tiers (governance, managerial, and operational) from a single consolidated intelligence source. Providers who can do this address a gap most organizations cannot close without external platform support.
  • Invest in audience-specific dashboarding that translates technical cybersecurity data into business risk language, designed for boards, executives, and operational teams alike.
  • Incorporate AI governance metrics: shadow AI detection, AI regulatory compliance posture, agentic AI risk, and model IP protection across all three audience tiers.
  • Develop consulting and managed service offerings that help customers build data-driven, AI-inclusive metrics programs and bridge the business acumen gap most cybersecurity teams face.
  • Providers who help CISOs speak the board’s language, translating cyber-risk into business risk, will earn lasting customer loyalty and reduce competitive displacement risk.

“The cybersecurity metrics market is at an inflection point. Customers are being held accountable for AI risks they cannot yet measure, and boards are demanding business risk context that most security tools still cannot deliver. Technology and service providers that step into this gap, with consolidated intelligence platforms, audience-specific metrics, and AI governance capabilities, will define the next generation of cybersecurity and GRC market leadership.”Philip D. Harris, Research Director, Governance, Risk, and Compliance Solutions, IDC

Download the Beyond the Data Dump report for the complete cybersecurity metrics framework, detailed AI governance specifications, and IDC’s full buyer and supplier recommendations..

Philip D. Harris, CISSP, CCSK

Philip D. Harris, CISSP, CCSK - Research Director, Governance, Risk, and Compliance (GRC) Solutions

Phil Harris is Research Director for GRC Solutions at IDC, where he develops and promotes IDC's point of view on risk, advisory, privacy, and compliance services and software. He conducts research on business strategies and the impact of relevant offerings…