← Back to Blog
Jsoc it

The Dashboard Illusion: Why a “98% Secure” Score Is a Dangerous Lie

👤
JSOC IT Team
🕒

The Number on the Slide

The board meeting opened with a single slide.

“Security Posture Score: 98%.”

Green background. Upward trend arrow. A small note underneath: “Up from 94% last quarter.” The CISO didn’t need to say much else. The number did the talking. Heads nodded. The agenda moved to the next item — fourteen minutes allocated for security, eleven of them already spent admiring a single percentage.

Six weeks later, that same organization disclosed a breach that had been active for 94 days. The attacker had used a compromised contractor credential, moved through systems the 98% score had rated as “low risk,” and exfiltrated data from a server that wasn’t included in the scoring calculation at all — because it had been provisioned outside the standard deployment process and the scoring platform had never discovered it existed.

The board’s first question to the CISO wasn’t “how did this happen?”

It was: “You told us we were 98% secure. What does that number even mean?”

He didn’t have a good answer. Nobody ever does — because the question exposes something the entire industry has quietly avoided saying out loud: the security score on your dashboard was never designed to answer the question executives think it answers.

The Question Behind the Question

Every executive who looks at a security score is really asking one thing: “Are we going to get breached?”

No security score answers that question. Not 98%, not 85%, not any single number derived from any methodology currently in commercial use. And the gap between what executives believe the score means and what the score actually measures is not a minor technical nuance.

It is the belief problem — and it is one of the most consequential misunderstandings in enterprise risk management today.

The belief problem works like this: a security rating platform, a vulnerability scanner, or an internal GRC tool produces a composite score based on a defined methodology — patch compliance, control coverage, configuration adherence, policy completion. The score is mathematically accurate relative to its own methodology. It is also, almost universally, presented to and absorbed by non-technical executives as a direct measure of breach probability.

It isn’t. And the consequences of that misunderstanding are measurable:

  • 76% of organizations report a significant gap between their documented security posture and their actual security posture — Ponemon Institute 2024
  • Only 43% of security controls perform as expected when tested against real adversary behavior — Cymulate 2024
  • Organizations that experienced a breach in the last two years had a median internal security score of 91% at the time of the incident — a composite finding across multiple security rating platform case studies
  • 80% of breaches are discovered by third parties — meaning the organization’s own scoring and monitoring systems, however confident their output, did not surface the incident — Verizon DBIR 2024

A 91% median score among organizations that subsequently got breached is not a statistical anomaly. It’s the expected outcome of a measurement system that was never built to predict the thing executives are using it to predict.

Why the Score Feels Trustworthy When It Isn’t

The dashboard illusion persists not because executives are careless, but because the score is engineered — often unintentionally — to feel authoritative.

It’s a Single Number, and Single Numbers Feel Objective

Complexity is uncomfortable. A security program involves thousands of assets, hundreds of controls, dozens of frameworks, and a threat landscape that changes weekly. A single percentage compresses all of that into something that fits on a slide and can be tracked quarter over quarter.

The compression is the appeal — and the danger. Reducing a multidimensional risk landscape to one number necessarily discards information. The question that never gets asked in the boardroom is: what got discarded, and does it matter more than what’s left?

A composite score that weighs “percentage of endpoints with antivirus installed” equally with “percentage of critical vulnerabilities remediated within SLA” produces a single number that obscures the fact that one of those metrics matters enormously more than the other in determining actual breach risk. The score doesn’t know the difference. It just averages.

It Goes Up, and Upward Trends Feel Like Progress

“98%, up from 94% last quarter” is a more compelling boardroom narrative than “98%, but we don’t actually know if that number predicts anything.” The trend line itself becomes the story — and trend lines are emotionally satisfying regardless of what they’re tracking.

The trend can go up for reasons that have nothing to do with reduced breach risk: completing a backlog of low-priority patches, adding scoring categories the organization already performs well in, or — more commonly — the scoring vendor adjusting their methodology in ways that aren’t transparently communicated to the client.

A number that goes up consistently produces confidence that is completely decoupled from whether actual risk is going down.

It’s Produced by a Tool, and Tools Feel Objective

There’s a specific psychological comfort in a number generated by software rather than asserted by a person. “Our security team thinks we’re doing well” invites scrutiny. “Our platform calculated a 98% score” sounds like measurement rather than opinion.

But the platform’s score is only as good as its methodology, its coverage, and its currency — and all three are usually invisible to the executive looking at the output. The platform is a person’s judgment, encoded into an algorithm, applied at scale. It carries the same limitations as any other model: it’s only accurate within the boundaries of what it was designed to measure, and it says nothing about what falls outside those boundaries.

A tool-generated number feels objective. It is exactly as subjective as the assumptions embedded in its design — just harder to interrogate.

It Replaces a Harder Conversation Executives Don’t Want to Have

The most uncomfortable truth about the dashboard illusion is that it’s convenient for everyone in the room. The CISO gets a clean, presentable metric instead of a complex risk narrative that’s harder to defend in fourteen minutes. The board gets a number they can record in minutes and feel satisfied that oversight occurred. Nobody has to sit with the genuinely uncomfortable question: what don’t we know, and what would it cost to find out?

The 98% score isn’t just a measurement error. It’s a mutually convenient way to avoid the conversation that would actually reduce risk.

What the Score Actually Measures (And What It Doesn’t)

Understanding the belief problem requires understanding exactly what these scores are built from — and the structural gaps in that construction.

What’s Typically In the Score

Patch and vulnerability metrics — percentage of systems with critical patches applied, average time to remediate, count of open critical/high findings. These are genuinely useful operational metrics. They are not breach predictors. An organization can have excellent patch compliance and still be breached through credential compromise, social engineering, or a misconfiguration that has nothing to do with patching.

Control existence checks — does the organization have MFA, does it have EDR deployed, does it have a documented incident response plan. These measure presence, not effectiveness. As established in earlier analysis of security effectiveness, only 43% of controls perform as expected when actually tested. A score built on existence checks cannot see that gap.

Policy and compliance adherence — percentage completion of security awareness training, policy attestation rates, audit finding closure rates. These measure administrative completion. They correlate weakly, if at all, with actual resistance to a determined attacker.

External attack surface scanning — open ports, exposed services, SSL certificate validity, DNS configuration. This is one of the few categories that has some direct relationship to actual exploitability — but only for the assets the scanner knows to look at.

What’s Almost Always Missing

Unknown and shadow assets. Every scoring methodology can only assess what it has visibility into. The average organization has 40% more cloud assets than its security team is aware of — Orca Security 2024. Those assets are, by definition, absent from the score. A 98% score calculated across 60% of your actual environment is not 98% security. It’s an unknown number, dressed as a known one.

Behavioral and contextual risk. No standard scoring methodology assesses whether your detection systems would actually catch a Living off the Land attack, whether your service accounts have anomalous access patterns, or whether your highest-privilege credentials are protected against pass-the-hash techniques. These are exactly the techniques used in the majority of significant breaches — and exactly the dimensions most scoring platforms don’t measure at all.

Detection and response effectiveness. A score can confirm your SIEM is deployed and ingesting logs. It cannot confirm your SIEM would detect a specific attacker technique in your specific environment with your specific configuration — the question that actually determines outcome during a real intrusion. That requires active validation, not passive scoring.

Human and process failure modes. No score captures whether your incident response plan has ever been practiced, whether your analysts are experiencing burnout that degrades triage quality, or whether your remediation backlog is growing faster than your team’s capacity to close it. These are documented, recurring causes of breach severity — and they are structurally invisible to automated scoring.

Recency and drift. Most scores are calculated on a periodic cycle — daily, weekly, or even less frequently for some compliance-oriented platforms. Cloud environments change continuously. A score that’s accurate on Tuesday may not reflect Thursday’s configuration changes, new deployments, or staff turnover. The number on the slide is always describing a version of the environment that may no longer exist.

The gap between what’s measured and what matters is not a rounding error. It’s frequently the majority of actual risk.

The Real-World Cost of Believing the Number

This isn’t an abstract methodological critique. The belief problem has produced measurable, repeated outcomes across documented breaches.

Organizations with strong composite security scores have been breached through vendors and third parties whose access wasn’t captured in the scoring scope at all — the score measured the organization’s own environment, not the extended ecosystem of contractors, vendors, and partners with legitimate access to it.

Organizations have presented high scores to boards and cyber insurance underwriters, only to discover during claims investigations that the score’s underlying control existence checks didn’t reflect actual control effectiveness — creating disputes over coverage when post-incident forensics revealed gaps the score never surfaced.

Security teams have had budget requests denied because “we’re at 98%, why do we need more investment” — a question that assumes the score reflects diminishing returns on security spend, when in reality the score may be measuring the easy 98% while the hard, expensive, high-impact 2% — the unknown assets, the behavioral blind spots, the unvalidated detection coverage — remains completely unaddressed.

The dangerous lie isn’t that the number is wrong. It’s that the number answers a question it was never built to answer, and everyone in the room proceeds as if it did.

What Should Replace the Single Score (Without Abandoning Measurement)

The solution isn’t to stop measuring security posture. It’s to measure it honestly — in a way that preserves the boardroom’s need for clarity without manufacturing false confidence.

Report Coverage Honestly, Including What’s Unknown

Instead of a single composite score, report what percentage of your actual environment is within scope of measurement at all — and name what isn’t. “Our security score covers 100% of assets known to our CMDB. Independent asset discovery in the last quarter found that this represents approximately 71% of our actual cloud footprint. The remaining 29% has not been assessed.”

This is an uncomfortable thing to present. It’s also true, and it converts an artificially reassuring number into an honest risk statement that drives the right next investment — closing the visibility gap — rather than reinforcing the false comfort of the existing score.

Separate Control Existence From Control Effectiveness

Report these as two distinct metrics, not blended into one. “MFA is deployed across 99% of identified accounts” is a deployment metric. “MFA enforcement was validated against simulated credential-stuffing attempts in our last quarter’s Breach and Attack Simulation exercise, with a 94% block rate” is an effectiveness metric.

Boards that see both learn to ask the more useful question — not “is it deployed” but “does it work” — which is the question that actually correlates with breach resistance.

Report Validated Detection Coverage Against MITRE ATT&CK

Rather than an abstract composite score, report the percentage of relevant ATT&CK techniques — specifically the ones documented as active against your industry — for which detection has been tested and confirmed effective, using Breach and Attack Simulation platforms like Cymulate, AttackIQ, or Picus Security.

“We have validated detection coverage for 61% of the top 30 ATT&CK techniques used against our sector in the last 12 months, with a remediation plan to close the remaining gaps by Q3” is a harder number to report than “98% secure.” It is also dramatically more useful — because it tells the board exactly what risk remains and exactly what it would cost to close it.

Report Mean Time to Detect and Mean Time to Respond — Not Just Existence

MTTD and MTTR, tracked over time and benchmarked against industry medians (194 days MTTD, 73 days MTTR per current Mandiant and IBM data), tell the board something a composite score cannot: how the organization would actually perform during a real intrusion, based on its track record handling confirmed incidents and validated simulations.

A board that sees MTTD trending from 60 days to 12 days over successive quarters is seeing genuine risk reduction. A board that sees a composite score move from 94% to 98% is seeing a number move — with no inherent connection to whether the organization’s actual resistance to attack has changed at all.

Present the Gap Explicitly, Every Time

The single most important practice: every time a security metric is presented, pair it with an explicit statement of what it does not measure. Not as a disclaimer buried in a footnote — as a stated, discussed element of the report.

“This score reflects patch compliance and control deployment. It does not reflect whether those controls would stop a determined attacker using current techniques, and it does not include assets outside our documented inventory. Our validation testing this quarter found gaps in three of these areas, detailed on the next slide.”

This is a harder presentation to give. It is also the only version of the conversation that gives the board the information it needs to make an honest risk decision — rather than the comfortable illusion that a high number provides.

What This Means for the Next Board Conversation

The shift away from the dashboard illusion isn’t a rejection of metrics. It’s a rejection of false precision in service of comfortable narratives.

The next time a security score is presented to your board, the most valuable question anyone in the room can ask is not “is that good?” It’s: “What does this number not tell us, and how would we find out?”

That question, asked consistently, changes what gets measured. It pushes organizations toward continuous validation — Breach and Attack Simulation, purple teaming, threat hunting, asset discovery — rather than periodic scoring against a fixed, often incomplete methodology. It converts the security conversation from a presentation of comfort into an honest accounting of risk.

The organizations that get breached while holding a 91% median security score are not unlucky. They are the predictable result of an industry-wide habit of mistaking a measurement for a guarantee.

The Bottom Line

A 98% security score is not a lie because the math behind it is wrong. The arithmetic is almost always correct relative to its methodology. It’s a lie in the way that matters most: it tells executives something confident and false about a question that no current scoring methodology can actually answer — are we safe?

No score can answer that question. Not because the technology isn’t good enough, but because security is not a static property that can be captured in a single number at a single point in time. It is a continuously contested state, shaped by assets you don’t know exist, techniques your detection hasn’t been tested against, and an adversary who is actively working to make your environment look exactly as secure as your dashboard claims it is.

The belief problem is not solved by a better score. It’s solved by abandoning the expectation that any single score should be believed at all — and replacing it with the harder, more honest practice of continuously testing, validating, and reporting exactly what you know and exactly what you don’t.

Your next board meeting doesn’t need a better number.

It needs a harder conversation.

Your Next Move

The dashboard illusion thrives in environments where claimed coverage has never been tested against real adversary behavior — the same gap that runs through every detection and validation failure in this series.

Read next: The Biggest Lie in Cybersecurity: “We’re Covered” — the operational version of this same belief problem, and what it takes to close the gap between claimed and validated security.

Want to know what your security score isn’t telling you? A validation assessment tests your actual detection and response capability against real adversary techniques — and gives your board the honest, evidence-based risk picture that a composite score cannot. Let’s talk.