Case Study 1: Meridian's First Board Metrics Deck

DataField.Dev

Case Study 1: Meridian's First Board Metrics Deck

"The board doesn't want to know how hard we worked. They want to know whether they can sleep." — Dana Okafor, CISO, Meridian Regional Bank (constructed)

Executive Summary

For eighteen months, Meridian Regional Bank's security program has been maturing — one component per chapter of this book, from a blank risk register to a SOC with detection coverage, an identity program, and a compliance map. Now CISO Dana Okafor faces a different kind of test: she has been given thirty minutes on the agenda of the board's Audit Committee to report on the state of information-security risk, and she has to do it as a story the board can govern by, not a list of what her team built. This case study follows Dana, GRC analyst Elena Vasquez, SOC manager Marcus Reyes, and junior analyst Theo Brandt as they design, pressure-test, and deliver Meridian's first board metrics deck. You will watch the chapter's ideas become a working governance instrument: the difference between data exhaust and a metric, the roll-up from operational to executive, MTTD/MTTR and coverage computed from real incidents, a maturity trajectory, and — hardest of all — the discipline of saying less, telling the truth, and framing everything as risk to the business. The scenario and all figures are constructed for teaching (Tier 3).

Skills applied: metric selection (useful vs. vanity); rolling operational metrics up to an executive view; computing MTTD/MTTR and coverage; placing a program on a maturity model; building a risk-vs-appetite and risk-burn-down narrative; benchmarking honestly; designing a one-screen board scorecard; anticipating and surviving board questions; the ethics of measurement as testimony.

Background

Meridian's board has an Audit Committee of five directors: a retired bank CFO who chairs it, a sitting CEO of a manufacturing firm, a securities lawyer, a former community-bank president, and — added last year, after a competitor's breach made the news — a technology executive who is the only member who has ever heard of MITRE ATT&CK. They meet quarterly. They are personally accountable, as directors, for the bank's risk oversight, and recent regulatory attention to cyber governance has made several of them acutely aware that "we were never told" is no longer a defense. They are smart, busy, and fluent in exactly one dialect: business risk, expressed in money and consequence.

Until now, Meridian's "security reporting" to the board had been a once-a-year appearance by the CIO with a slide that said, in effect, we take security seriously and have not had a major breach. That is not governance; it is reassurance theater, and the new technology director had said so out loud at the last meeting. So the chair did something unusual: he invited the CISO herself to present, quarterly, starting now. Dana had asked for exactly this for two years. Now she had it, and the first deck would set the template — and her credibility — for years.

Dana convened the team with a one-line brief that became the project's governing constraint:

"Five numbers the board can act on. Each answers one of their questions. Each is defensible three layers down. Everything else goes in the appendix. We are not going to impress them — we are going to inform them, and we are going to tell the truth even where it's uncomfortable."

Theo, who eighteen months ago could barely read a SIEM query, was assigned the job of pulling clean operational data. Marcus owned the SOC numbers that would roll up. Elena owned the risk-versus-appetite framing, since she maintained the register and had sat in on the board's appetite discussion. Dana owned the narrative and the room.

The Analysis

Phase 1 — Killing the vanity metrics

The team's first draft, assembled bottom-up from "what data do we have," was a disaster of exactly the predictable kind. Theo, eager and thorough, produced a slide with seventeen numbers on it. Marcus added four more from the SOC console. The draft led with the firewall's "11.4 million blocked connection attempts this quarter," because it was the biggest, most impressive number available and it had felt, when he pasted it in, like proof of work.

Dana looked at the draft for a long moment and asked the question that reorganizes every metrics conversation: "For each of these, tell me — if the number doubled, what would the board do differently?"

They went down the list. Eleven-point-four million blocked attempts? Nothing — the firewall blocks automatically; the number is unbounded; there is no version of "that's too high" or "that's good." Total SIEM alerts (1.2 million)? Nothing — more alerts could mean better coverage or worse tuning; the board cannot tell and cannot act. Emails quarantined (840,000)? Nothing. Antivirus signatures updated? Patches applied (6,200)? Awareness emails sent? One by one, the activity numbers failed the test. They were data exhaust — real, large, automatic, and decision-irrelevant.

🚪 Threshold Concept: The team's instinct — lead with the biggest, most flattering number — is exactly backwards. A metric earns its place on a board slide only by being load-bearing: remove it, and some decision the board must make gets worse. "Blocked attempts" is removable with zero loss to governance, which is the definition of noise. The hardest discipline in metrics is not finding numbers; it is deleting the impressive ones that mean nothing, until only the few that matter remain.

What survived the cull were the numbers that changed a decision: where risk sat against the board's appetite, whether the program was getting better, what the investment had bought, and how fast the team detected and contained the attacks that did land. Five blocks of signal, pulled out of twenty-one numbers of noise. Theo, slightly deflated that his seventeen-number slide had been gutted, learned the lesson that would define his career trajectory toward leadership: the value you add is in selection, not collection.

Phase 2 — Rolling operations up to the boardroom

The surviving metrics still lived in the wrong language. Marcus's draft of the response section read: "MTTR malware 0.5h, MTTR phishing 1.0h, MTTR insider 2.0h, MTTR data-egress 24h; MTTD distribution [0.5, 1.0, 2.4, 18.0]; SIEM rule efficacy 78%; per-technique ATT&CK coverage 61%." All true. All operational. All wrong for a board, which would either glaze over or — worse — fixate on the wrong number and ask an unanswerable question.

The team practiced the roll-up explicitly, layer by layer, using the metrics pyramid from §36.2. Theo pulled the per-incident timestamps from the ticketing system — the operational layer, one row per incident. Marcus aggregated them into the quarter's MTTD and MTTR with the median noted — the management layer. And Dana compressed that into a single executive sentence: "We now detect and contain serious incidents in hours, not days — with one exception this quarter that I'll flag." Same truth, three altitudes.

Here is the operational data Theo extracted (the four notable incidents of the quarter; constructed):

incident          began        detected     contained    MTTD    MTTR(contain)
phishing/creds    Mar03 09:00  Mar03 11:24  Mar03 12:24  2.4 h   1.0 h
malware/endpoint  Mar11 14:10  Mar11 14:40  Mar11 15:10  0.5 h   0.5 h
data egress       Mar19 22:00  Mar20 16:00  Mar21 16:00  18.0 h  24.0 h
admin login       Mar28 03:30  Mar28 04:30  Mar28 06:30  1.0 h   2.0 h

Marcus computed the quarter's figures:

$$\text{MTTD} = \frac{2.4 + 0.5 + 18.0 + 1.0}{4} = 5.475 \approx 5.5 \text{ h}, \quad \text{median} = \frac{1.0 + 2.4}{2} = 1.7 \text{ h}$$

$$\text{MTTR} = \frac{1.0 + 0.5 + 24.0 + 2.0}{4} = 6.875 \approx 6.9 \text{ h}$$

🛡️ Defender's Lens: Notice the data-egress incident dominating both means single-handedly — 18 hours to detect, 24 to contain, a 42-hour total window of opportunity for the attacker. The team's first instinct was to exclude it ("it's an outlier, it makes us look bad"). Dana refused: "That 42-hour window is the single most important fact in the response section, because it's where we're weakest and where the next breach most likely comes from. We don't hide it — we lead the operational appendix with it, and we put the median on the board slide so the headline is honest both ways." Excluding the ugly incident would have made the metric a vanity metric — and would have left the board ungoverned over the bank's real exposure.

The coverage section got the same treatment. Theo's raw inventory query returned counts; the team turned each into a coverage percentage with an explicit, defensible denominator:

Control	In-scope total	Protected	Coverage	Board framing
EDR on servers	220	209	95.0%	"near-complete on critical systems"
MFA on privileged accounts	48	48	100.0%	"every admin path requires phishing-resistant MFA"
Critical-system logging	60	51	85.0%	"9 blind spots remain — closing them is a priority"

Elena flagged the denominator risk before anyone could be smug about the 100% MFA figure: "That's 100% of the 48 admin accounts we know about. If internal audit finds three we missed, that number is a lie we told the board. Let's footnote it: '100% of inventoried privileged accounts; identity-governance review ongoing.'" That single honest footnote, she argued, was worth more than the clean number, because it would protect Dana's credibility if a forgotten account surfaced later.

Phase 3 — The maturity trajectory and the risk story

Point-in-time metrics answered "where are we now?" The board, governing over years, would also want "are we on a journey?" Elena had run a maturity self-assessment against a five-level scale, domain by domain, and — crucially — had it reviewed by internal audit so the scores were defensible rather than wishful.

Domain	Last year	Now	Target (24 mo)
Identity & Access Management	1.9	2.4	3.0
Security Operations	2.0	2.6	3.2
Vulnerability Management	2.2	2.7	3.0
Governance & Risk	2.3	2.8	3.2
Third-Party Risk	1.5	2.0	2.8
Overall (weighted)	2.0	2.5	3.0

"This is the slide that funds us," Dana said. "It tells three stories in one glance: everything is improving, third-party risk is our laggard and therefore our priority, and we have a concrete target the board can hold us to. A board doesn't fund 'security' — it funds getting from 2.5 to 3.0, and it funds closing the gap on the worst domain." Elena added the discipline note: every score was tied to evidence ("to claim Level 3 in SecOps we needed documented playbooks and a tuned SIEM — here's the artifact list"), and the figure was presented as "about 2.5," never "2.51," to avoid the false precision that would invite a skeptical director to poke at decimals that did not mean anything.

Then Elena built the heart of the risk story: the top five enterprise security risks from the Chapter 27 register, each plotted against the board's own appetite threshold, with a trend arrow, and a four-quarter risk burn-down showing the count of risks-above-appetite falling from 8 to 5 to 3 to 1 as treatments completed.

RISK vs. APPETITE (Q1 FY25)                      RISK BURN-DOWN (risks above appetite)
Credential / account takeover     ●──▼  within     8 ▓▓▓▓▓▓▓▓
Customer-data exposure            ●──▼  within     5 ▓▓▓▓▓
Ransomware / availability         ●──▼  within     3 ▓▓▓
Insider / privilege misuse        ●──►  within     1 ▓
Third-party / supply chain        ●──▲  ABOVE  ⚠   0 ┄┄┄ target
  ● current  ▲▼► trend  within/ABOVE vs. appetite  Q2  Q3  Q4  Q1

Figure CS1.1 — Meridian's risk-vs-appetite panel and burn-down. Four of five top risks sit within the board's appetite and are trending down; third-party risk is above appetite and rising — the one amber on an otherwise green board. The burn-down line sloping toward zero is the single most persuasive governance visual: it says "we are systematically reducing exposure to the level you told us to accept, and here is how fast."

🔗 Connection: Every slice of this deck traces back to a prior chapter's checkpoint. The risk-vs-appetite panel is the Chapter 27 register rendered for executives. The MTTD/MTTR data comes from the Chapter 21 SIEM and the Chapter 24 IR process. The coverage figures come from the Chapter 23 vulnerability program and the asset inventory begun in Chapter 1. The third-party gap is the Chapter 29 work, made visible. The metrics pack is not a new thing bolted on at the end — it is the reporting layer of the entire program, which is exactly why it is the rehearsal for the Chapter 38 capstone.

Phase 4 — Mapping spend to risk reduced (the money slide)

The board question Dana knew would decide next year's budget was the third — is the money working? — and it is the one most security teams answer worst, because they instinctively report spending as activity ("we deployed EDR, stood up the SIEM, ran the awareness program") rather than as risk bought down. A board does not fund tools; it funds the reduction of risks it is accountable for. So Elena and Dana built a slide that mapped last year's investment to the specific risks it moved, and next year's ask to the specific risk it would move next.

WHAT WE SPENT (last year)        →  WHAT IT BOUGHT (risk reduced)
Phishing-resistant MFA + IAM     →  Credential takeover: CRITICAL → within appetite ▼
SIEM + detection engineering     →  Undetected intrusion (dwell): risk down; MTTD 9h → 5.5h
Vuln-mgmt program + SLAs         →  Customer-data exposure: HIGH → within appetite ▼

WHAT WE'RE ASKING (next year)    →  WHAT IT BUYS (the last risk above the line)
Third-party risk program (TPRM)  →  Supply-chain risk: ABOVE appetite → within; burn-down → 0

Figure CS1.2 — The investment slide. Each dollar is tied not to a tool but to a named risk it reduced, and the ask is framed as "the last risk on the board coming inside the appetite line." This is the return-on-security-investment story a board can actually approve, because it answers "what did the money do to our exposure?" rather than "what did the money buy?"

🛡️ Defender's Lens: Watch the rhetorical move and steal it. The team never says "we want budget for a third-party risk tool." They say "there is exactly one risk still above the line you drew, here is what it would cost to bring it inside, and here is the burn-down hitting zero when we do." The ask is framed entirely in the board's own language — its appetite, its risks, its burn-down — so approving it feels like finishing a job the board already endorsed rather than spending money on something technical they don't understand. The single hardest budget conversation in security becomes easy when the metric does the arguing.

Dana added one honesty constraint that Elena initially resisted as too modest: the spend-to-risk mapping was presented as directional attribution, not precise causation. "We can't prove the MFA rollout alone moved credential risk from critical to within-appetite — other things changed too, and a board member who knows business cases will smell false precision if we claim a clean dollar-for-risk ratio." So the slide said "contributed to" rather than "caused," and the MTTD improvement (9h → 5.5h) was offered as concrete evidence the detection investment was real, without overclaiming a tidy formula. The restraint, Dana argued, was itself a credibility signal: a CISO who hedges the attributable claims is a CISO whose unhedged claims can be trusted.

Phase 5 — Assembling the one-screen scorecard

With the signal selected, rolled up, and framed, the team assembled the centerpiece: a single-screen executive scorecard, the abstraction layer of the metrics pyramid made concrete. Dana's rule held — five load-bearing blocks, each answering a board question, the median printed beside the mean to defuse the outlier, and exactly one honest amber flag.

┌──────────────────────────────────────────────────────────────────────────┐
│  MERIDIAN REGIONAL BANK — INFORMATION SECURITY: BOARD SCORECARD   Q1 FY25 │
│  Headline: Risk trending DOWN, within appetite on 4 of 5 dimensions.      │
├──────────────────────────────────────────────────────────────────────────┤
│  RISK vs. APPETITE (top 5)              │  MATURITY (overall, 1–5)         │
│  Credential / account takeover  ●──▼ OK │     2.0 ──► 2.5 ──► [3.0 tgt]    │
│  Customer-data exposure         ●──▼ OK │  ───────────────────────────────  │
│  Ransomware / availability      ●──▼ OK │  RISK BURN-DOWN (risks>appetite) │
│  Insider / privilege misuse     ●──► OK │   8 ▓▓▓▓ 5 ▓▓▓ 3 ▓▓ 1 ▓ → tgt 0 │
│  Third-party / supply chain     ●──▲ ⚠  │   Q2     Q3    Q4    Q1          │
├─────────────────────────────────────────┼──────────────────────────────────┤
│  RESPONSE (this qtr vs prior / peer)    │  COVERAGE (critical assets)      │
│  MTTD  5.5 h  (prior 9 h · peer ~8 h)   │  EDR on servers          95% ▓▓▓▓░│
│  MTTR  6.9 h  (prior 14 h · peer ~12 h) │  MFA on privileged accts¹ 100% ▓▓▓│
│  (median MTTD 1.7 h — one egress outlier)│  Critical-system logging  85% ▓▓▓░│
├──────────────────────────────────────────────────────────────────────────┤
│  ⚠ WATCH: Third-party risk above appetite. Plan funded; target Q3. Ask:$X.│
│  ¹ 100% of inventoried privileged accounts; identity-governance review ongoing.
└──────────────────────────────────────────────────────────────────────────┘

Figure CS1.3 — The assembled board scorecard. One screen answers all four board questions: risk vs. appetite (exposed?), maturity + burn-down (improving?), spend-vs-risk in the ask line (money working?), and MTTD/MTTR/coverage with benchmarks (how do we compare?). The single amber and the honest footnote are what make the four greens believable.

Phase 6 — Surviving the room

The presentation itself is where decks live or die, and Dana had drilled the team on the rules of the conversation. She led with the answer: "Information-security risk at Meridian is trending down and now sits within the board's stated appetite on four of five dimensions. The exception is third-party risk, which is above appetite and rising; we have a funded plan and I'll walk you through it. The program's overall maturity has risen from 2.0 to 2.5 against a target of 3.0." One sentence, conclusion first, the bad news flagged immediately rather than buried.

Then the questions came, and the preparation paid off:

The technology director asked: "Your MTTD is 5.5 hours — is that good?" Dana answered with the comparison already on the slide — down from 9 last year, ahead of the ~8-hour peer benchmark (sourced honestly and labeled directional) — and pre-empted the outlier: "Most incidents under two hours; one data-egress case took eighteen, which is why our median is 1.7. Tightening egress detection is the top item in the operational plan, in the appendix."
The chair (retired CFO) asked: "You show four green and one amber. Is the amber really the only thing that worries you?" This was the war-story question, and Dana had learned its lesson. "Yes — and I want to be clear that an all-green report from a security team should worry a board, not reassure it. The third-party gap is real, I'm flagging it deliberately, and here is the plan and the ask." The honesty bought more trust than any green metric could have.
The securities lawyer asked: "How do we know maturity is really 2.5 and not optimistic?" Dana turned to the appendix, where each domain score was tied to an evidence list reviewed by internal audit. "It's a structured judgment, not a measurement, which is why I'm reporting 'about 2.5,' not a false decimal — but every score is evidenced and independently reviewed."
The former community-bank president asked the question that wins budgets: "What does the next dollar buy?" Dana pointed to the ask line: the funded third-party-risk plan would move that domain from 2.0 toward 2.8 and pull the last risk below appetite, taking the burn-down to zero. "You're not buying a tool. You're buying the last risk on this board coming inside the line you drew."

The committee approved the third-party-risk funding and asked Dana to return next quarter. More importantly, the chair said the sentence every CISO wants to hear: "This is the first time I've felt like I actually understood our security posture well enough to govern it." That sentence was the deck's real deliverable — not the approval, but the trust, which is the only currency that lets a security program keep getting the support it needs.

⚖️ Authorization & Ethics: Dana treated every number in the deck as testimony, because it was. The directors would rely on those figures to discharge a legal duty; auditors and regulators might later examine them. Inflating the maturity score, excluding the embarrassing egress incident, or quietly using the flattering MFA denominator without the footnote would not merely have been bad practice — it would have been misrepresenting the bank's risk to the people legally responsible for overseeing it. The honest amber, the median beside the mean, the denominator footnote, and the "about 2.5": these were not just good presentation. They were the integrity of measurement, on which the CISO's entire standing rests.

Discussion Questions

The team's first draft led with "11.4 million blocked attempts." Why is that instinct so common, and what specific test did Dana use to dismantle it? Find one number in your own organization's reporting that would fail the same test.
Dana insisted on keeping the data-egress outlier visible and printing the median beside the mean. Argue both sides: when does showing an outlier strengthen a report, and when (if ever) is aggregating it away defensible?
The 100% MFA coverage figure got a footnote about the denominator. Was that footnote worth the loss of a clean "100%" headline? What does your answer reveal about the relationship between precision and credibility?
The chair valued the honest amber more than the four greens. Explain, in terms of credibility as a spent-in-an-instant currency, why an all-green security deck is self-defeating in front of an experienced board.
Every slice of the deck traced to a prior chapter's checkpoint. If you had to cut the deck from five metric blocks to three, which three would you keep for this board, and what would you lose?

Your Turn

Take an organization you know (or Meridian) and build a one-screen board scorecard from scratch, applying Dana's rule: five load-bearing blocks, each answering one of the four board questions (exposed? improving? money working? how do we compare?), each defensible three layers down. You must (a) start from the four questions and work backward to the metrics — not from the data you happen to have; (b) include at least one MTTD/MTTR or coverage figure you compute, with the median shown if an outlier distorts the mean; (c) include exactly one honest "watch" item; and (d) write the single-sentence headline the whole scorecard supports. Then write a paragraph predicting the three hardest questions a real board would ask, and how you would have the drill-down ready. Keep the scorecard to one screen — the discipline of fitting is the exercise.

Key Takeaways

A board deck is built by selection, not collection: the hardest and most valuable work is deleting the impressive vanity metrics until only the few load-bearing numbers remain. If the number doubled, what would the board do differently? is the test that does the cutting.
Operational metrics must be rolled up to the executive layer and re-expressed as risk — the same truth at the altitude the audience governs from. Per-incident timestamps become MTTD/MTTR become "we contain in hours, not days."
Show the outlier and the median; the ugly incident is usually the most important fact and the real improvement target. Aggregating it away turns a metric into a vanity metric and leaves the board ungoverned over the true exposure.
The denominator is everything for coverage, and an honest footnote about it is worth more than a clean headline number — because credibility, not precision, is what a board buys.
Maturity tells the multi-year story that funds the program; tie every score to evidence, have it reviewed, and report "about 2.5," never a false decimal.
Lead with the answer, tell the truth including the bad news, frame everything as risk and money, and keep it to a handful of numbers. An honest amber buys more trust than a wall of green — and trust is the only currency that keeps a program funded. This deck is the rehearsal for the Chapter 38 capstone.