
Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC
From Distilled Security Podcast by Justin Leapline, Joe Wynn, and Rick Yocum
September 8, 2025 · 1h 54m · Episode 16
About this episode
The episode discusses the challenges of measuring and reporting security programs, the misleading nature of scoring systems, and the rise of vGRC services.
Episode 16: When Metrics Mislead: Security Scoring, Board Gaps, and vGRC Episode 16 of the Distilled Security Podcast is here! In this episode, Justin, Joe, and Rick christen the new studio and dive into some of the trickiest challenges in measuring, reporting, and governing security programs. From maturity models to board reporting, the conversation unpacks how scoring systems can mislead, how to communicate bad news effectively, and why boards need more than just “checkbox” cyber expertise. The team also explores the rise of vGRC (Virtual GRC) services —what they are, how they differ from vCISO offerings, and when organizations should consider fractional models. And of course, no episode would be complete without a pour: this week, a rich Woodford Reserve Double Double Oaked bourbon. Topics Covered New Studio Upgrade : Behind-the-scenes on mics, cameras, and why the couch had to go. Measuring to the Score : The dangers of chasing maturity numbers instead of real security outcomes. Scoping, Rubrics & Auditor Whim : Why assessments are subjective and how leadership often misunderstands the results. Cultural Incentives : How bonuses, compliance checkboxes, and “auditor…
People in this episode
Hosts: Justin Leapline, Joe Wynn, Rick Yocum
Topics covered
- security metrics
- board reporting
- vGRC services
- cybersecurity expertise
- security outcomes
- cultural incentives
Keywords
- security scoring
- board gaps
- maturity models
- cyber expertise
- vulnerability tools
- auditor shopping
Mentioned in this episode
Organizations: vGRC, vCISO
Products: Woodford Reserve Double Double Oaked
More episodes of Distilled Security Podcast
- Episode 24: 2 Years, 24 Episodes & The State of Security in the Age of AI · May 14, 2026 · 1h 43m
- Episode 23: Nobody read the report · April 14, 2026 · 2h 10m
- Episode 22: Is AI Good for Security, CIRCIA Starts the Clock, and the M&A Problem Nobody's Talking About · March 9, 2026 · 1h 56m
- Episode 21: AI Notetakers Are Illegal, GRC Tools Are Lying, and ISO 42001 Changes Everything · February 18, 2026 · 1h 51m
- Episode 20 : 2026 Kickoff: Security Resolutions, Key Deadlines, and Don’t Mislead the Feds · January 26, 2026 · 1h 20m
- Episode 19: Cloudflare Outage, AI-Powered Attacks & The Rise of GRC Engineering | Distilled Security Podcast · December 8, 2025 · 2h 12m
Explore listener stats, chart rankings, contacts and more on the Distilled Security Podcast podcast page.