CISO Series Podcast Are You Implying This Line Graph Isn't a Compelling Cybersecurity Narrative?
10 snips
Nov 18, 2025 Nathan Hunstad, Director of Security at Vanta, shares insights on impactful security metrics tied to business objectives. He discusses the importance of effective pen testing, advocating for scope definition and valid testing collaboration. The conversation also delves into the real-world implications of customer trust in the face of scam sites versus malware. Hunstad emphasizes the practical applications of AI, stating it won't replace staff but can enhance operations through automation and knowledge sharing, ensuring threat intelligence remains actionable.
AI Snips
Chapters
Transcript
Episode notes
Learning Security Isn't Always The Final Word
- Early in his career Nathan assumed security always knew best and clashed with developers.
- He learned security teams have different incentives and aren't always the de facto experts.
Metrics Should Map To Business Impact
- Tie security metrics to business objectives rather than raw ops counts like MTTD/MTTR.
- Map revenue-generating processes to controls to show material impact to the board.
MTTD/MTTR Can Disincentivize Prevention
- Operational metrics like MTTD/MTTR can mislead because blocking attacks removes them from the population counted.
- Such metrics may penalize preemptive defenses and favor reactive measures.