Podcast: The Security Strategist
Host: Richard Stiennon, Chief Research Analyst at IT-Harvest
Guest: Michael Kennedy, Ostra Security Founder
For leaders in enterprise technology, the pressure to show measurable cybersecurity outcomes has never been greater. Boards are asking tougher questions, attackers are moving faster, and conventional security awareness metrics aren’t telling the whole story.
In the recent episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, is joined by Ostra Security Founder Michael Kennedy, who pointed out a growing gap in how enterprises measure success. Despite years of investment in phishing training and user awareness, breaches keep happening—not because employees are failing on a large scale, but because enterprise systems aren’t designed to handle inevitable mistakes.
For CIOs, CISOs, and CTOs, this signals a major transition toward outcome-based security.
Why Traditional Security Awareness Metrics Fall Short
Phishing simulations, reduced click rates, and increased reporting are often seen as proof of a strong cybersecurity strategy. The metrics are easy to track, too.
However, as Kennedy notes, they provide limited insight into actual risk reduction. Even the most effective awareness programs leave some room for error. In reality, attackers only need one successful attempt to gain access. “If one gets through, that’s enough,” Kennedy suggests, highlighting a truth most security leaders understand but find difficult to measure.
What these metrics don’t capture is the downstream impact of that failure.
Two identical phishing attacks can lead to vastly different results depending on the enterprise security setup. In one situation, the threat is neutralised quickly. In another, it escalates into lateral movement, credential theft, or ransomware deployment. For enterprise settings, this gap reveals a basic problem – user-focused metrics assess behaviour.
What Outcome-Based Cybersecurity Looks Like?
The more effective approach, Kennedy argues, is to frame cybersecurity around engineering outcomes instead of user behaviour.
This means evaluating how well systems perform during attacks—not how well users avoid making mistakes.
The key markers of a strong enterprise cybersecurity strategy include how quickly threats are detected, how effectively security teams respond, and how well incidents are contained before they spread. These operational metrics give a clearer view of real-world readiness.
This shift lines up with the growing adoption of zero trust architectures, extended detection and response (XDR), and AI-driven security operations. All these frameworks focus on containment, visibility, and fast responses rather than the unrealistic goal of perfect user behaviour.
It also changes how breaches are examined. High-profile incidents are often simplified to stories about weak passwords or phishing clicks, while the more vital question—why controls failed to limit the impact—gets overlooked.
For enterprise buyers and decision-makers, this can lead to misaligned investments, over-prioritising awareness training while underfunding detection engineering, identity controls, and network segmentation.
When Cyber Risk Hits the P&L
Unpacks the ten priciest breaches to show how cyber incidents cascade into long-term financial, legal, and reputational liabilities.
Why is it Necessary to Create a No-Blame Culture?
While the focus shifts away from blaming users, Kennedy emphasises that people still play a vital role in enterprise cybersecurity—just not in the way many enterprises think.
In enterprise environments where employees fear blame, reporting delays are common. Suspicious emails go unreported, incidents remain unnoticed longer, and response times increase.
In contrast, organisations that create a no-blame security culture see users acting as an extension of their detection capabilities. Employees who feel safe reporting anomalies can identify threats earlier, often before automated systems escalate them.
This cultural change has measurable operational benefits. Faster reporting reduces dwell time, limits damage, and improves overall incident response effectiveness.
Some enterprises are formalising this approach through internal collaboration platforms, enabling real-time threat sharing across teams. In doing so, they turn their workforce into a distributed security layer—one that complements, rather than replaces, technical controls.
The enterprises that succeed in this next phase of cybersecurity maturity will be those that move beyond the “human error” narrative and embrace a truly outcome-based approach to security engineering.
Because in modern enterprise environments, the question is no longer who clicked—it’s how well the system absorbed the impact.
Inside Modern Pentest Stacks
How integrated scanners, WAFs, IDS and password tools now form a unified layer in security architectures to expose and close attack paths early.
Key Takeaways
- Cybersecurity failures are system design issues—not user mistakes.
- Click-rate metrics are misleading
- Real success is measured by containment speed and impact reduction.
- Strong security culture encourages users to report threats without fear of blame.
- Engineering outcomes (like detection speed and blast radius control) matter more than user behaviour metrics.
- AI is reshaping both attacks and defence, making faster, smarter response capabilities essential.
For more information, please visit em360tech.com and ostrasecurity.com.
Follow:
EM360Tech YouTube: @enterprisemanagement360
EM360Tech LinkedIn: @EM360Tech
EM360Tech X: @EM360Tech
Ostra LinkedIn: Ostra Security
Ostra X: @ostra_security
Ostra YouTube: @OstraCybersecurity
#Cybersecurity #CISO #EnterpriseSecurity #OutcomeBasedSecurity #SecurityMetrics #Phishing #ZeroTrust #AIinSecurity #NoBlameCulture #SecurityStrategist #OstraSecurity
Comments ( 0 )