Almost daily, headlines highlight organizations falling victim to data breaches, ransomware attacks, or large-scale encryption of critical data. Threat actors are increasingly publicly showcasing their exploits and naming their latest victims in prominent extortion campaigns. This behavior is not only designed to pressure organizations into paying hefty ransoms but also to undermine their reputations and instill fear across industries. The rapid evolution of these threats underscores the importance of proactive cybersecurity strategies and robust incident response planning to mitigate the ever-present risk of compromise.

OpenCTI image containing intelligence where ransomware adversaries have been successful. For legal reasons, the names have been removed. Source: ransomware.live

Even if a ransomware attack has not directly impacted your organization, maintaining vigilant monitoring of this threat category remains critical to any comprehensive cybersecurity strategy. Ransomware’s dynamic and rapidly evolving nature demands continuous attention as adversaries frequently develop and deploy new techniques, tactics, and procedures.

The lifecycle of a ransomware threat is notably short, often characterized by rapid innovation that can render traditional defenses obsolete. As illustrated in the accompanying image, staying informed about the latest developments in ransomware allows security teams to anticipate emerging trends, adapt defensive measures proactively, and ensure organizational resilience against this persistent and growing threat.

Evolution of ransomware

Clearly, something is breaking down in the chain of cybersecurity defenses, as evidenced by the continued success of ransomware attacks.


The anatomy of a ransomware attack

When examining the lifecycle of these attacks, it becomes evident that the initial stage—establishing a foothold—is often where the compromise begins. This foothold is typically gained through one of several entry vectors, such as a carefully crafted (spear)phishing email designed to deceive even the most vigilant users, a visit to a malicious or compromised website, exploitation of a software vulnerability left unpatched, or even something as seemingly innocuous as an infected USB device.

These methods highlight a breakdown in user awareness, perimeter defenses, vulnerability management, and endpoint security. Addressing these gaps requires implementing robust technical controls and fostering a culture of cybersecurity awareness and continuous improvement across the organization. Without such measures, threat actors will continue to exploit these weaknesses, turning initial footholds into devastating ransomware incidents.

Fortunately, robust security controls exist to mitigate most of these initial attack vectors, providing organizations with the tools to significantly reduce the risk of compromise. For example, advanced email security solutions can detect and block phishing and spear-phishing attempts before they reach end users. At the same time, secure web gateways and DNS filtering can prevent access to malicious websites.

Regular and comprehensive patch management processes address software vulnerabilities, closing exploitable gaps before threat actors can exploit them. Endpoint detection and response (EDR/XDR) tools, combined with USB device control policies, can further mitigate the risk of removable media.

Moreover, multi-layered defenses such as zero-trust architecture, network segmentation, and enhanced identity management (including multi-factor authentication) act as critical safeguards, reducing the likelihood of a threat actor successfully establishing a foothold.

Given the wide array of advanced security controls designed to detect and block these attack vectors, the critical question becomes: Why are threat actors still achieving such alarming success rates with ransomware attacks? This disconnect between available defenses and effective protection can often be attributed to a combination of factors, including gaps in implementation, misaligned priorities, and adversaries’ adaptive strategies.

Many organizations face challenges in fully deploying, integrating, and optimizing security controls across their environments. Inconsistent configurations, lack of visibility into the attack surface, and insufficient resources for continuous monitoring and response often create exploitable gaps. Additionally, threat actors are adept at identifying and exploiting weak links, such as undertrained employees, unpatched systems, or overlooked assets.

Furthermore, the relentless evolution of ransomware tactics plays a significant role in adversaries’ success. Threat actors continuously refine their approaches, leveraging novel techniques such as double extortion (combining data encryption with public exposure threats), supply chain attacks, and increasingly sophisticated phishing campaigns. They often use advanced evasion techniques to bypass traditional defenses while exploiting human error or complacency within an organization.


KRI vs KPI - What's the difference?

When reflecting on the effectiveness of our cybersecurity posture, the concepts of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) immediately come to mind as essential tools for measurement and analysis. The saying, “You can’t manage what you don’t measure,” is particularly relevant in cybersecurity, where visibility into the implementation and effectiveness of security controls is critical to identifying and addressing weaknesses.

I deliberately emphasize the distinction between KPIs and KRIs because both serve distinct yet complementary purposes. KPIs are valuable for tracking the implementation and operationalization of security controls, answering questions such as: “Has the security control been deployed across the entire intended scope?” They help assess whether controls are in place as planned but provide little insight into their true effectiveness or risk mitigation impact.

To gain that deeper understanding, I rely on KRIs, which provide a more granular and meaningful assessment of how security controls perform in real-world conditions. KRIs address critical questions that go beyond deployment, such as:

  • “Is the security control active and fully operational across the entire scope where it has been installed?”
  • “Is the security control configured to operate in blocking mode rather than simply monitoring or logging?”
  • “Are all events generated by the security control being forwarded to a central console for correlation and analysis, enabling a timely response to potential threats?”

These KRIs provide insights into the presence of control and its operational value and effectiveness in reducing risk. By continuously monitoring and analyzing these metrics, we can identify gaps in coverage, misconfigurations, or operational inefficiencies. This enables us to take targeted actions to address these issues before they evolve into vulnerabilities that adversaries can exploit.

Ultimately, using KPIs and KRIs in tandem ensures that we maintain a comprehensive and balanced perspective—measuring our security controls’ deployment and real-world impact. This approach strengthens our ability to detect and mitigate threats and aligns our cybersecurity strategy with business objectives by focusing on meaningful outcomes rather than mere compliance.

Once the KPIs and KRIs have been defined and prioritized for monitoring, the next critical consideration is the frequency of measurement and reporting. Determining the appropriate interval is essential to ensure timely visibility into the performance and effectiveness of security controls. Measuring and acting on these metrics in near real-time is a competitive advantage in the face of rapidly evolving threats.

Automation is pivotal in achieving efficiency and consistency in this process. Organizations can eliminate manual errors, reduce resource constraints, and increase reporting frequency by automating the collection and analysis of KPI and KRI data. Automation enables more frequent—and even continuous—monitoring, which is especially important in a cybersecurity landscape where risk conditions can change daily, if not hourly.

Ideally, weekly reporting should serve as the baseline for operational oversight, particularly for high-priority controls and critical metrics. Weekly intervals strike a balance between timeliness and practicality, allowing security teams to:

  • Detect trends: Spot emerging patterns and anomalies that could signal potential issues.
  • Drive accountability: Ensure regular performance checks and facilitate prompt corrective actions.
  • Maintain agility: Adapt quickly to changing conditions, reducing the window of opportunity for adversaries.

For some high-risk areas, near-real-time or daily monitoring may be warranted. For example, KRIs related to threat detection or the functionality of critical incident response mechanisms should be monitored as continuously as possible to ensure rapid response to emerging threats.

While weekly reporting is ideal for most KPIs and KRIs, pairing this cadence with exception-based alerts is essential. Automation tools can trigger alerts whenever predefined thresholds are breached, ensuring that critical deviations are addressed immediately rather than waiting for the next reporting cycle.

Finally, effective reporting is about frequency, clarity, and actionability. Weekly KPI and KRI reports should be concise, focusing on deviations, trends, and actionable insights. This enables stakeholders—from operational teams to executive leadership—to quickly assess the security posture and make informed decisions. Organizations can foster a proactive, data-driven approach to risk management and security operations by automating measurements and maintaining a disciplined reporting cadence.

When automation is not feasible, it becomes critical to remain vigilant against the temptation to green-wash KPIs and KRIs, mainly when these metrics are destined for presentation to C-level executives. While no one enjoys reporting unfavorable numbers, presenting an overly optimistic or sanitized version of security performance metrics can have devastating consequences. This practice undermines the integrity of reporting and obscures critical vulnerabilities, often serving as the hidden root cause of successful ransomware attacks or other significant breaches.

Green-washed KPIs and KRIs, which inaccurately portray performance as better than it truly is, create a false sense of security for decision-makers. This can lead to:

  • Misguided resource allocation: If executives believe that security controls are fully adequate based on misleading metrics, they may prioritize other initiatives, leaving critical gaps unaddressed.
  • Delayed response to weaknesses: Real issues—such as incomplete deployment of security controls, inadequate configurations, or lack of coverage—may go unnoticed until exploited by adversaries.
  • Erosion of trust: Once a breach occurs and the reality of the situation becomes clear, the credibility of the reporting structure and the security team may be called into question.

When green-washing occurs, it often stems from a combination of cultural and procedural weaknesses:

  1. Fear of accountability: Teams may fear the repercussions of reporting poor performance metrics, especially if the organization lacks a culture of transparency.
  2. Overemphasis on appearances: In some cases, there may be implicit or explicit pressure to show positive results, regardless of actual performance.
  3. Lack of verification: Manual reporting is more prone to human error or bias without automated or external validation.

To mitigate the risk of green-washed metrics and promote accurate reporting, organizations must:

  1. Establish psychological safety: Encourage a culture where reporting unfavorable metrics is acceptable and seen as an opportunity to improve. Leaders should emphasize that uncovering and addressing weaknesses is critical to long-term success.
  2. Promote integrity in reporting: Communicate that the accuracy of metrics—whether positive or negative—is more important than projecting a perfect image.
  3. Implement validation mechanisms: When automation is unavailable, ensure manual reporting processes are subject to rigorous peer review and cross-functional validation.
  4. Focus on actionable insights: When poor metrics are reported, shift the conversation toward solutions rather than blame. For instance, if a KRI reveals that security control is not in blocking mode across its scope, focus on how to address the gap and allocate resources effectively.

When presenting to C-level management, providing a balanced view is vital. Highlight both successes and areas of concern, supported by actionable recommendations. Executives value honesty, especially with a clear plan to address identified risks. For example:

  • If a KPI indicates 98% deployment of security control, acknowledge the remaining 2% as a risk and outline steps to close the gap.
  • If a KRI highlights a control’s failure to detect threats in specific scenarios, emphasize what is being done to address this limitation.

By fostering a culture of data integrity and transparency, organizations can avoid the pitfalls of greenwashing and ensure that leadership has a realistic understanding of the organization’s security posture. This honesty is not a weakness but a strength that enables proactive decision-making and builds resilience against threats like ransomware.

In addition to tracking KPIs and KRIs regularly, it is critical to establish target values that define when a security control is delivering its intended value. These targets provide a clear benchmark for performance, enabling organizations to measure implementation and the effectiveness and maturity of their security controls. Without such targets, assessing whether a security control is truly mitigating risk as designed or merely operating below its potential is impossible.

The true value of security control is realized when it consistently operates at a level that ensures it fulfills its intended purpose, effectively reducing risk and preventing threats. For example, I propose that this benchmark is achieved when the average of all KPIs and KRIs tied to a specific security control exceeds 98% for a sustained period of at least three months.

This extended timeframe is crucial because it demonstrates the following:

  • Sustainability: The control is momentarily effective and remains robust over time.
  • Resilience: The control performs consistently even as the environment changes or new threats emerge.
  • Operational maturity: The supporting processes, configurations, and monitoring mechanisms are well-established and functioning reliably.

Reaching and maintaining the 98% threshold is undeniably challenging, particularly in highly dynamic environments characterized by rapid technological changes, frequent updates, and evolving threat landscapes. Several factors contribute to this difficulty:

  1. Environmental Complexity: Modern infrastructures often span on-premises, cloud, and hybrid environments, making consistent control deployment and monitoring more challenging.
  2. Human Factors: User behavior, misconfigurations, and operational errors can introduce variability, undermining control effectiveness.
  3. Adversary Adaptation: Threat actors constantly innovate, finding new ways to bypass even the most advanced security measures.
  4. Resource Constraints: Limited budgets, staffing, or expertise can hinder efforts to optimize and sustain security controls at such high-performance levels.

To address these challenges and work toward achieving the 98% benchmark, organizations should adopt a structured and strategic approach:

  1. Automation: Automate as much of the control implementation, monitoring, and reporting as possible to reduce human error and ensure consistency.
  2. Regular Testing and Validation: Perform routine testing, such as penetration tests, red team exercises, and control validation, to verify the effectiveness of controls against real-world threats.
  3. Continuous Improvement: Use the insights gained from KPIs and KRIs to drive iterative improvements. For example, identify and resolve recurring issues that prevent controls from achieving optimal performance.
  4. Threat Intelligence Integration: Align controls with the latest threat intelligence to ensure they remain effective against current adversary tactics, techniques, and procedures (TTPs).
  5. Collaboration Across Teams: Foster collaboration between security, IT, and operations teams to ensure controls are adequately implemented, configured, and maintained across all environments.

When communicating progress toward these targets, it is essential to:

  • Provide context: Explain the challenges of maintaining the 98% threshold in a dynamic environment and highlight efforts to overcome these obstacles.
  • Show incremental progress: Even if the target has not been fully achieved, demonstrate improvements over time to reinforce that the organization is moving in the right direction.
  • Emphasize the bigger picture: Link the performance of security controls to overall risk reduction and alignment with business objectives.

Achieving and sustaining a high level of performance for security controls is a demanding but necessary goal. By defining clear target values, organizations can focus their efforts, prioritize resources, and drive meaningful improvements in their security posture, ultimately enhancing their resilience against advanced threats.


A network diagram

Even when the established threshold is reached—such as maintaining a 98% average for KPIs and KRIs over three consecutive months—I consistently focus on further reducing the organization’s overall risk level. Reaching a target is not the journey’s end but rather an opportunity to refine and enhance our defenses. Cybersecurity is a dynamic field, and adversaries are continuously innovating, making it imperative to remain proactive rather than complacent.

This is also the critical moment when I revisit the network diagram and conduct a strategic assessment, asking, “What is the likeliest entry point or vector from which a threat actor would initiate an attack?” This question is not merely theoretical; it drives practical actions and decisions that substantially enhance the organization’s resilience against future threats.

To identify the most probable entry points, I evaluate the network with the mindset of an adversary, considering several key factors:

  1. High-Risk Entry Points:
    • Endpoints and User Devices: Laptops, desktops, and mobile devices are prime targets due to their exposure to phishing attacks, malware, and credential theft.
    • Third-Party Access: Supply chain partners and vendors often introduce vulnerabilities that adversaries can exploit.
    • Legacy Systems: Older systems with unpatched vulnerabilities or unsupported software present an easy target.
    • Perimeter Weaknesses: Firewalls, VPN gateways, and externally exposed services can be exploited if not properly configured and hardened.
  2. Lateral Movement Opportunities:
    • Flat Networks: Poorly segmented networks allow threat actors to move freely once inside.
    • Privilege Escalation Paths: Misconfigured accounts or excessive permissions create opportunities for adversaries to gain administrative control.
  3. Critical Data and Assets:
    • Adversaries often focus on systems that store sensitive data or critical intellectual property and operational systems that, if disrupted, would cause significant business impact.

Once these potential entry points and attack paths are identified, I strategize how to reduce risk levels further and harden the environment:

  1. Network Segmentation: Implement micro-segmentation to limit lateral movement, such as isolating critical systems, sensitive data repositories, and privileged access infrastructure.
  2. Zero Trust Architecture: Transition to a zero trust model where all access is continuously verified, and no user or device is implicitly trusted, regardless of location.
  3. Proactive Threat Hunting: Empower the security team to actively search for indicators of compromise or suspicious activity within the environment, even without alerts.
  4. Enhanced Monitoring and Logging: Ensure all potential attack vectors are monitored and logs are centralized for real-time analysis. This includes endpoints, network traffic, cloud environments, and privileged accounts.
  5. Continuous User Awareness Training: Social engineering can bypass even the most sophisticated controls. Regular training programs can help reduce the risk of human error.

At this stage, incorporating Cyber Threat Intelligence is essential. Understanding the tactics, techniques, and procedures of the most relevant threat actors targeting your industry or organization can help refine defenses. For example:

  • If ransomware groups actively exploit remote desktop protocol (RDP) weaknesses, ensuring RDP is disabled or secured with multi-factor authentication becomes a priority.
  • If phishing remains a prevalent entry point, focus on advanced email security controls and simulated phishing exercises to test user awareness.

Visualizing the network and conducting red team exercises are critical at this point. By simulating potential attack scenarios, security teams can:

  • Validate the effectiveness of existing controls.
  • Identify unexpected attack paths or vulnerabilities.
  • Gain insights into how adversaries might navigate the environment.

When presenting these risk-reduction strategies to stakeholders, particularly at the C-level, it’s important to frame them as proactive measures that align with the organization’s broader risk management goals. Emphasize:

  • ROI on Security Investments: How continuous improvement builds on existing investments to maximize their value.
  • Risk Reduction Impact: The quantifiable and qualitative benefits of addressing specific attack vectors.
  • Strategic Alignment: How these initiatives support operational resilience, regulatory compliance, and business continuity.

In cybersecurity, reaching a threshold is not a destination but a milestone. By continuously assessing and addressing likely attack vectors, organizations can stay ahead of adversaries, reduce risk profiles, and build a robust, forward-looking security posture.