DEV Community

Eldor Zufarov
Eldor Zufarov

Posted on

Cybersecurity Has a Measurement Problem

#cybersecurity #devsecops #security #architecture

A company passes its compliance audit.

All critical vulnerabilities are patched.

The SIEM is green.

The dashboards look healthy.

The security team reports no major incidents.

Three weeks later, the company is breached.

How does that happen?

More importantly:

How does it keep happening?

The uncomfortable answer is that cybersecurity has spent decades improving visibility while largely failing to solve measurement.

We have become extremely good at collecting signals.

We are still surprisingly bad at determining what those signals actually mean.

And that distinction may be one of the most important problems in modern security.

The Security Industry Measures Everything Except Security

Imagine asking a doctor a simple question:

"Is the patient healthy?"

Instead of answering, the doctor hands you a report:

  • 17 blood pressure alerts
  • 43 heart rate alerts
  • 8 temperature alerts
  • 126 miscellaneous alerts

Would you know whether the patient is healthy?

No.

You would know how much data was collected.

You would not know what condition the patient is actually in.

Cybersecurity often operates the same way.

Organizations measure:

  • Number of vulnerabilities
  • Number of alerts
  • Number of findings
  • Number of incidents
  • Number of compliance controls

These numbers fill dashboards.

They drive reports.

They influence budgets.

Yet none of them directly answer the question executives actually care about:

How likely is it that an attacker can successfully compromise this environment?

That is not a visibility question.

It is a measurement question.

The Vulnerability Counting Trap

One of the most persistent assumptions in cybersecurity is that more vulnerabilities equal more risk.

At first glance, that seems logical.

But reality is rarely that simple.

Consider two environments.

Environment A

  • 500 low-severity vulnerabilities
  • Strong segmentation
  • Limited privileges
  • No practical attack paths

Environment B

  • 3 vulnerabilities
  • Exposed credentials
  • Reachable internal services
  • Direct privilege escalation path

Which environment would you rather defend?

Most dashboards would highlight Environment A.

Most attackers would choose Environment B.

The difference is critical.

Security findings are not independent events.

They interact.

Risk emerges from relationships.

The problem is not the number of weaknesses.

The problem is what those weaknesses allow an attacker to do when combined.

Why Attackers Win With Fewer Data Points

Most security programs see systems as collections of findings.

Attackers see systems as pathways.

A scanner might report:

  • Exposed secret
  • SSRF
  • Weak IAM policy
  • Internal service exposure

Four separate issues.

An attacker sees something very different:

Exposed Secret → Cloud Access → SSRF → Internal Service → Privilege Escalation

One attack path.

One compromise.

One successful breach.

The scanner is technically correct.

The attacker is operationally correct.

And operational reality is what matters.

The security team is looking at a list.

The attacker is looking at a graph.

Why CVSS Cannot Measure System Risk

This is where many organizations become trapped.

CVSS is valuable.

It provides useful information about individual vulnerabilities.

But CVSS was never designed to measure the risk of an entire system.

A vulnerability scored 9.8 may be effectively isolated.

A vulnerability scored 4.3 may become catastrophic when connected to exposed credentials, trust relationships, and reachable assets.

Attackers do not compromise organizations through CVSS scores.

They compromise organizations through attack paths.

Severity describes a weakness.

Risk describes a system.

Those are fundamentally different concepts.

Yet many vulnerability management programs treat them as interchangeable.

The result is predictable:

Teams spend enormous effort reducing scores while attackers focus on exploitability.

The Compliance Illusion

The same problem appears in compliance.

Organizations often assume that compliance is evidence of security.

It is not.

Compliance demonstrates adherence to a framework.

Security describes resistance to compromise.

Those concepts overlap.

They are not equivalent.

An organization can pass an audit and remain vulnerable.

An organization can satisfy every required control and still expose a viable attack chain.

Compliance answers:

"Did we implement the required controls?"

Attackers ask:

"Can I still get in?"

These are different questions.

Only one determines the outcome of an attack.

The Evidence Problem

At its core, cybersecurity suffers from an evidence problem.

The industry frequently substitutes proxies for proof.

We assume:

  • Findings indicate risk.
  • Alert volume indicates visibility.
  • Compliance indicates security.
  • Severity indicates impact.

Sometimes those assumptions are correct.

Often they are not.

The challenge is that most security metrics measure activity around security rather than security itself.

They tell us what we observed.

They rarely tell us what an attacker can actually achieve.

That gap between observation and reality is where many security programs fail.

Security Is a Measurement Science

Every mature engineering discipline eventually develops reliable measurement models.

Civil engineers calculate structural loads.

Manufacturers measure product quality.

Medicine uses diagnostics and laboratory evidence.

Cybersecurity remains heavily dependent on proxies.

The next phase of the industry will not be driven by collecting more data.

It will be driven by measuring reality more accurately.

That requires moving beyond isolated findings and toward:

  • Attack paths
  • Risk propagation
  • Trust relationships
  • Reachability analysis
  • Dependency mapping
  • Evidence-based risk assessment

Because security is not a list of vulnerabilities.

Security is not a compliance score.

Security is not a dashboard.

Security is an assessment of what an attacker can actually accomplish.

And until cybersecurity learns to measure that directly, organizations will continue to mistake visibility for understanding.

Conclusion

For years, cybersecurity has optimized its ability to observe systems.

The next challenge is learning how to measure them.

That distinction matters because attackers do not care how many findings exist.

They care whether those findings connect.

They do not care how many controls were implemented.

They care whether those controls stop them.

And they do not care what organizations believe about their security posture.

They care about reality.

Ultimately, security is not the number of vulnerabilities you find.

Security is the confidence you can justify with evidence.

Everything else is an assumption.

Top comments (0)