Blog
Cybersecurity

Cyber and Risk Leaders - Beware the Green Status Report and What Lies Beneath

By
Clare Pryor
20 January 2026
5
min read

Are all the Key Risk Indicators (KRI’s) your team presents green most of the time? If this rings true, then take this as an opportunity to challenge and kick the tyres on the data to ensure this is a true representation of risk. Don’t take green KRI’s at face value – Green reporting can mask serious issues and must be stress tested. In the dynamic world of cybersecurity where the risk balance can change on a frequent basis do not take green as an assurance that ‘all is well’ and fully under control.

From a KRI standpoint green is supposed to mean that the risk is managed and within the organisation’s risk appetite. This is assuming there is that line of sight between the two. Many organisations also have a tendency to muddle KRI’s with KPI’s (Key Performance Indicators) to further confuse what is actually being reported. In general:

  • a KPI is a measure of how well a goal is being achieved;
  • while a KRI is an early warning of risks that may impact on these goals. 

One is backward facing, one if forward facing.

Notably the culture of an organisation can heavily influence how status is reported. In a blame-heavy culture where red is punished teams may ‘game’ the report to maintain a green status. Possible ways of doing this might be to set the thresholds at a level where green can always be achieved or to restrict the population of data being reported on.

So how should I challenge a KRI metric?

Dive into the following areas … 

  • Has there been over-aggregation in the metric to such a level that it can hide patterns and weaknesses that could prove costly? Do a double click and zoom in on the data.
  • Optimism and gaming – Are teams optimising the appearance of a control to pass audits, Service Level Agreements (SLA’s) or getting better team and individual performance ratings?
  • Coverage is key - If my vulnerability remediation KRI is showing green, ask the questions – 
    • are all the assets I am responsible for being covered by the scanning? 
    • are all assets being scanned in the same way (authenticated / not authenticated)? 
    • are all vulnerabilities being covered (those where there is a patch/fix and those that are not)? 

If there are reasons for scoping gaps, then these need to be clear and transparent in reporting and to those accountable for the risk.

Common scoping blind spots include Shadow IT, OT, Third Parties and SaaS – and yet these can be the points of weakness in your organisation's attack surface.

A green cyber status report is defensible only if you can see:

Coverage clarity – My metric is a % of what? Is there an impenetrable small novel to read accompanying the metric that describes what is in and what is out? Is the logic sound?

Risk linkage – Make sure that your technical risk metrics can be tied to business impacting risks with defined tolerances aligned to business risk appetite.

Testing evidence – Does the KRI status align with the results of testing activity (penetration testing, red teaming, external scanning)? This is your ‘proof point’ to actively challenge whether the metrics are giving a true representation of the world from an attack perspective. If a test finds a bundle of unencrypted data or passwords that have not been rotated in years yet those metrics are all green this should be a red flag that the KRI’s are not ‘real’.

Ask the team following questions:

  • What would have to be true for this to move to amber or red next month and how likely is this?
  • Which material risks remain high or very high today even though the metric is green?
  • Can you take me through one or two recent incidents or tests and explain how they relate to the status reflected in these metrics?

Even if the KRI’s have passed the ‘kick the tyres’ test, green in Cyber should only be seen as ‘currently acceptable risk with known limitations,’ never as ‘secure.’ Green should buy time for strategic dialogue, not justify complacency - the burden of proof sits with the metric owner to demonstrate that the colour reflects real, validated resilience rather than cosmetic compliance.

Reality Check

Many CISO’s and Cyber Leaders are placed an impossible situation –  their boss wants to see green to add to his or her status report, the Board wants to see Green, Shareholders and Investors want to see Green – it can be really hard for a Cyber Leader to deliver a true representation with so many competing interests in play.  

Experience tells that it can be easier for a new Cyber or Risk Leader to challenge the reporting – they are seeing it from an independent vantage point to understand what they have inherited. It might be harder to challenge if you have been in the business for some time where there has been collective unawareness or unwillingness to challenge the status quo. Nobody is willing to flag for fear of being branded a troublemaker. 

Often there is a structural challenge – it’s possibly easier for a CISO reporting into the Board directly than a report into the CIO depending on organisational pressures. Amber or Red reporting could be seen as being overtly dramatic and a cry for funding which is not always well received when budgets are constrained.

In a Regulated organisation with a 3 Lines of Defence model in theory the 2nd and 3rd lines of Defence should challenge a green report and the accuracy of metrics but where reputations, bonus’s and shareholder and regulatory optics needs to be maintained the challenge does not always come as strongly as it might. Corporate politics gets in the way.

Bottom Line

As Cyber or Risk Leaders it’s important we understand the data and what that is and is saying. How you then choose to use this in upward status reporting is very much governed by the culture and organisation you find yourself in.

Ask yourself the questions:

  • If there is a Cyber Incident, do I want the post incident analysis to shine a spotlight on reporting that was supporting a false narrative? 
  • Could I defend this position at the highest levels and a legal context if needed?
  • Do I believe that the report is a true representation?

The true measure of a Cyber or Risk Leader is not the colour of their status report, but the resilience they can defend when a green report is challenged. Ensure your green is a shield of validated resilience, not a mask of cosmetic compliance.

Share this post
Clare Pryor
Director / Partner

Clare brings over 25 years of experience in technology and cybersecurity, including leadership roles at Visa Europe as Head of Risk and Compliance for the global cybersecurity organisation. She led successful Bank of England CBEST exercises, oversaw global PCI programs, and supported post-acquisition due diligence and integration across multiple M&A initiatives. Prior to Visa, she spent two decades in consulting with DMW Group and Accenture, delivering global, large-scale IT transformation initiatives. A Durham University graduate, Clare is a passionate runner and dog walker outside of work.

Blog articles

View all
Cybersecurity
5
min read

Am I Cyber Resilient ?

Cyber resilience is more than cybersecurity — it’s your organisation’s ability to recover fast and adapt when disruption strikes. From ransomware to third-party outages, resilience means anticipating threats, minimising impact, and restoring operations quickly. This article explores what cyber resilience really means, how to measure it, and where to start — including practical frameworks like NIST CSF, ISO 27001, and the NCSC CAF. Fail to prepare, prepare to fail — resilience is the difference.
Read more
Cybersecurity
3
min read

Turning Assessment into Action: How DEEP Redefines Security Value

Security assessments are vital for understanding an organisation's security posture, identifying vulnerabilities, and strengthening defenses against evolving cyber threats. These assessments, ranging from maturity evaluations to third-party risk reviews, enable proactive threat management, enhance compliance, reduce breach costs, and improve incident response. NuroShift's DEEP framework (Define, Execute, Evaluate, Progress) integrates these assessments, creating a continuous feedback loop that helps organisations build resilient cybersecurity strategies and achieve measurable progress.
Read more
Cybersecurity
3
min read

Securing the Deal: Cyber Risk and Resilience in M&A

Mergers and acquisitions succeed when hidden risks are uncovered early. This article shows why cybersecurity assessment is now central to M&A, from benchmarking maturity and resilience to ensuring compliance with standards like ISO, NIST, and DORA.
Read more
View all