Distilled Security Podcast | Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC

Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC

September 8, 2025 / 01:53:57/E16

Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC

Episode 16 of the Distilled Security Podcast is here!

In this episode, Justin, Joe, and Rick christen the new studio and dive into some of the trickiest challenges in measuring, reporting, and governing security programs. From maturity models to board reporting, the conversation unpacks how scoring systems can mislead, how to communicate bad news effectively, and why boards need more than just “checkbox” cyber expertise.

The team also explores the rise of vGRC (Virtual GRC) services—what they are, how they differ from vCISO offerings, and when organizations should consider fractional models. And of course, no episode would be complete without a pour: this week, a rich Woodford Reserve Double Double Oaked bourbon.

Topics Covered

New Studio Upgrade: Behind-the-scenes on mics, cameras, and why the couch had to go.
Measuring to the Score: The dangers of chasing maturity numbers instead of real security outcomes.
Scoping, Rubrics & Auditor Whim: Why assessments are subjective and how leadership often misunderstands the results.
Cultural Incentives: How bonuses, compliance checkboxes, and “auditor shopping” distort security reporting.
Prepping for New Tools: Setting expectations with leadership when visibility spikes after deploying monitoring or vulnerability tools.
Boards and Cybersecurity Expertise: Should cyber knowledge be mandated at the board level—or does it risk creating the illusion of safety?
Virtual GRC vs. vCISO: What fractional GRC services really deliver, how they differ from vCISO roles, and why naming clarity matters.
Bourbon Review: Woodford Reserve Double Double Oaked — syrupy, smooth, and perfect for a holiday pour.