When Green Means Blind: Building Cyber Risk Dashboards That Show Control and Resilience
A sea of green on an executive cyber risk dashboard often looks reassuring. In reality, it can be a warning sign. This came up in my interview with The Stack last year, and it is a topic I wanted to delve into a little deeper in a blog post.
Cyber risk is not a domain that stays neatly within tolerance for long periods without constant friction, trade-offs, exceptions and emerging weaknesses. If every control is green, every metric is on target and every risk appears comfortably managed, there is a good chance the dashboard is measuring the wrong things. It may be over-weighted toward compliance completion, policy existence or control attestation, rather than whether the organisation could actually withstand and recover from a serious destructive cyberattack.
That said, the opposite can also create problems, especially in highly regulated industries. A dashboard that is permanently amber and red can signal a lack of control, weak governance or an inability to operate within regulatory expectations. Regulators, boards and auditors do not just want honesty; they want evidence that the organisation understands its risks, is managing them within defined tolerances and can demonstrate disciplined progress. In those environments, a dashboard that never stabilises can undermine confidence just as much as one that is unrealistically green.
The balance is to stop treating dashboards as a vanity mirror and start treating them as an instrument panel. Too many CISOs wear their green dashboards as a mark of pride, and when I start digging into detail on their actual operational cyber resiliency capability, it’s a complete dumpster fire. A good executive dashboard should show both control health and operational resilience. It should distinguish between compliance status and real-world readiness. An organisation may be fully compliant on paper and still be poorly prepared to recover to a trusted state after a destructive attack.
CISOs can strike that balance by separating metrics into three layers;
Compliance and control conformance: the evidence that required controls exist and are operating.
Risk and exposure: the areas where control gaps, exceptions, or threat conditions are increasing danger.
Resilience performance: how quickly and effectively the organisation can detect, contain, eradicate, recover and learn. That means showing metrics such as recovery exercise outcomes, identity recovery readiness, backup integrity, percentage of critical services that can be restored to a trusted state, and the time needed to execute key response decisions under pressure.
Boards in regulated sectors still need confidence, so not every weakness needs to dominate the dashboard. The answer is not to flood executives with technical debt and operational noise. It is to present a balanced picture: where the organisation is within tolerance, where it is outside tolerance, what is being done about it and whether cyber resilience is measurably improving. Green should mean something has been tested, proven, and is sustaining performance. Amber and red should show where management attention and investment are needed, not where the function is failing.
The best dashboards do not aim to look comforting. They aim to be decision-useful. For CISOs, that means giving regulators enough evidence of control and discipline, while giving executives enough truth to drive meaningful improvement in cyber resilience. If everything is green, you may be hiding risk. If nothing is green, you may be signalling that the organisation is not in control. The objective is not colour. It is credible assurance.
