§ 1“How many vulnerabilities did the scanner find” is not a metric; it is a weather report. It goes up when you scan more, down when you scan less, and tells the board nothing about whether the organisation is safer than last quarter.

Four numbers survive contact with a board meeting. Declared-assistance rate: what fraction of merged code carries the assistant trailer — if it’s implausibly low, your policy is being routed around. Review latency for declared code: the honesty incentive, measured. Escape rate: security defects found post-merge in declared vs. undeclared code. Time-to-revert: when something does get through, how fast it comes back out.

Retire the vanity numbers

Findings-per-scan, coverage percentages, tool counts — retire them all. Each one rewards activity over outcome, and a sceptical board member can dismantle any of them in one question.

— C.D.