One story. Gone deep.

Last Sunday I opened a paid pilot to help you measure security risk. So you can imagine the whiplash when I tell you this week's Pulse is about when measuring is the wrong move.

That is not me hedging. That is the whole point.

A method you reach for every time is not a discipline. It is a tic. What turns measurement into discipline is knowing the decisions that do not earn it, and being willing to say so even when you sell the measuring. So here is me, one week after the launch, telling you exactly when to close the spreadsheet and just decide.

Start with the one that catches the most careful people. Something in your environment is already under attack. Not "could be." Is. You do not need a model for that. You patch it. Building a calibrated impact estimate for a flaw an attacker is already using is not rigor. Calibration on a foregone conclusion is procrastination in a lab coat.

Next: one factor obviously dominates. A vulnerability that is internet-facing, skips authentication entirely, and has working exploit code published. You do not need three lenses to rank that. One look tells you. When a single factor is that loud, the spreadsheet is not analysis. It is theater. You already made the decision the moment you read the finding. The model just dresses it up so the call feels safe.

Third, and this one bleeds money quietly: the fix is cheap and reversible. A config flag. A patch you can roll back in an afternoon. If acting costs less than measuring, measuring is the expensive option. You can spend a morning building the case for a thirty-second change, or you can make the change. The leader who measures that one is not being careful. They are being slow and calling it diligence.

And the big one, the one that hides inside a program that looks healthy from the outside: measurement as procrastination.

This is the program that quantifies forever. Every decision gets a score. Every score gets a review. Every review spawns a sub-score. The dashboards multiply, the meetings fill, and somehow the actual decision keeps not getting made, because there is always one more number to refine first. It looks like the most disciplined shop in the building. It is the opposite. It is a team using rigor as a place to hide from the discomfort of deciding. The reflex to score everything is its own kind of sloppiness, and it is harder to spot than the sloppiness of scoring nothing, because it wears a lab coat too.

Here is the test, the same one I would run on any decision before I built a model for it. Is this expensive, hard to reverse, and genuinely uncertain? If all three are true, measure. That is exactly the set the pilot is built for, and it is a smaller set than people think. If any one is false, you already have your answer. Close the spreadsheet. Decide. Move.

So the honest version of my whole campaign is this: measurement is not the goal. Good decisions are. It is the tool you reach for when a decision is genuinely hard, expensive, and uncertain, and the wrong tool for everything else. A calibrated security leader is not the one who scores the most. It is the one who knows which decisions are worth a model and which ones just need a decision.

If you cannot tell the difference, that is the actual gap. And the place to find out where you sit is fifteen free minutes, not a five-thousand-dollar engagement.

What else matters this week.

This Tuesday handed us the cleanest example of the year. On June 9, Microsoft shipped its monthly Patch Tuesday, roughly 200 fixes in one drop. The same day, CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog: a Google Chromium V8 flaw (CVE-2026-11645), a Cisco Catalyst SD-WAN Manager flaw (CVE-2026-20245), and an Arista EOS flaw (CVE-2026-7473). Here is why those three matter more than the other 200. A vulnerability lands on KEV for one reason: it is being exploited right now. KEV is not a severity score. It is not a "you should probably look at this" advisory. It is a binary fact with a federal deadline attached, this is happening, patch it by the date. So watch the restraint lesson play out in the gap between the two lists. For the 200, you triage, you score, you decide what is worth your limited fixes. For the three on KEV, you do none of that. There is no scoring meeting, no impact matrix, no follow-up scheduled. CISA already ran the only measurement that matters, confirming exploitation in the wild, and a measurement someone else already made for free is not a measurement you redo. You patch. The skill is not scoring the three KEV items faster than the 200. It is recognizing that the three were never a question, and refusing to spend a meeting pretending they were. via CISA KEV and BleepingComputer

Now the failure on the other end. Verizon released its 2026 Data Breach Investigations Report in late May, 22,000-plus breaches analyzed, and buried in it is the number that should end every maturity-dashboard meeting. Across all the vulnerabilities CISA has confirmed are being actively exploited, organizations fully remediated only 26% of them, down from 38% the year before. The median time to fully fix a critical vulnerability rose to 43 days, up from 32. And for the first time in the report's 19-year history, exploiting a known vulnerability became the single most common way attackers got in. Sit with the shape of that. The dashboards are green. The maturity scores climb, twos become threes, the board sees the line going up and to the right. And meanwhile only about a quarter of the flaws everyone already knows are being exploited actually get fixed, and that fraction is going the wrong way. The maturity number measures whether you have a control. The attacker uses the KEV item you never patched. One of those is easy to measure and the other one ends companies, and the program optimized for the wrong one. A rising maturity score next to a falling KEV-remediation rate is not progress. It is a program getting better at the test while the attacker takes the unpatched door. via Verizon DBIR and Help Net Security

Not every signal needs action.

On May 13, Rapid7 launched a new "Cyber GRC" program, and the pitch is the tidiest possible version of the thing this whole Pulse is arguing against. The promise: move beyond "static, point-in-time compliance" to continuous, AI-driven risk quantification built on live data. AI-driven third-party risk management. Continuous control monitoring. Unified reporting. A number on everything, refreshed forever, no human bottleneck. It is a real product from a real vendor, and the dashboard is gorgeous.

Here is what to do about it. Notice what continuous total measurement is actually optimizing for. via Cyber Daily

It is not better decisions. It is the feeling of control. A number next to every item makes a complex, adapting system look like a complicated, manageable one, and that illusion is comfortable enough that people pay for it. But a security program is not a machine you tune to a setpoint. It is a living thing that you govern. Govern means deciding what is worth your attention and what is not, and a program that scores everything has quietly refused to make that decision. It has outsourced its judgment to a model that cannot tell the difference between the flaw that ends the company and the one that never gets touched, and made it run continuously so the abdication never stops.

The skill is not measuring more. It is knowing what deserves to be measured and having the nerve to leave the rest alone. Let the vendors sell you more dials. You need fewer, pointed at the right things.

No answer. Just the question.

Look at the last security decision your team scored, ranked, or risk-rated. Was it genuinely expensive, hard to reverse, and uncertain? Or did you already know the answer and build the model so the call would feel safe?

The whole campaign comes down to one habit: measure the decisions that are expensive, hard to reverse, and genuinely uncertain, and decide the rest without ceremony. If you are not sure which of your decisions are which, that is exactly what the free assessment is for.

The Signal Score is fifteen minutes and tells you, in plain English, where you are measuring what does not matter and guessing at what does.

→ echocyber.io/assessment

And if this Pulse did not talk you out of it, if you are sitting on a triage decision that genuinely is expensive, hard to reverse, and uncertain, the three founding-cohort pilot slots for Signal Measure are still open at the $5,000 rate, work starting late June. → echocyber.io/sprint/measure

Next Sunday closes the campaign: beyond vuln triage, where this discipline goes next.

Prefer audio? Jane reads every Pulse edition on the Signal vs. Noise podcast. Five minutes, same signal, no scrolling. Find it wherever you listen.

Michael Faas is a fractional CTO/CISO who translates technical complexity into business decisions. echocyber.io