Skip to main content
The Panaseer logo shows a white square and a yellow square around the initial P. To the right of the P there is the copy written ‘anaseer’.
Get a demo
Show main menu Hide main menu

Compound Risk Metrics: Moving beyond surface-level security

Combining control data across cybersecurity domains is essential for a clear, continuous view of cyber risk. In this blog, we'll explore why unifying your data helps CISOs uncover toxic combinations of risk and what to do about those risks.

Contents

    Sarah Garmston
    read
    Last updated:

    What keeps me up at night as a CISO is the idea that you’ve missed something. You’re looking at a window on the problem, and it’s giving you a certain view back. But actually, that window is missing where the real problem is. That’s a constant anxiety. Yes, my metrics are green, but do they really incorporate a holistic view of everything? Is there some kind of Achilles heel?

    Oli Newbury
    Panaseer non-executive board member

    If this resonates, you’re not alone.

    Today’s CISOs are overwhelmed by dashboards and reports - patching coverage, endpoint compliance, phishing click rates, and identity management statistics. These metrics are useful and often accurate, but they are:

    • Fragmented across multiple tools and owners
    • Point-in-time, rather than continuous
    • Control-focused, rather than risk-focused
    • Missing context to connect technical gaps to business exposure

    It means security leaders can’t always see where risk is converging. They know what’s inside their “windows” of visibility - but not what’s outside. And it’s those blind spots that often hide toxic combinations of risk that create the biggest sense of anxiety for CISOs.

    Why surface-level security falls short

    You might know that 85% of assets are patched within SLA, or that 8% of employees have failed phishing tests in the last 30 days, but what’s harder to answer (and almost impossible with isolated metrics) is:

    • Which critical systems fail multiple controls at once?
    • Where do exposures overlap in ways that magnify risk?
    • Which risks or hidden attack paths are outside our current field of view entirely?

    It leaves CISOs managing from a patchwork of partial views, unable to see where gaps overlap or where emerging risks lie. That uncertainty of “I don’t know what I don’t know” isn’t a reporting issue. It’s a visibility issue. And it’s exactly what compound risk metrics aim to address.

    Using compound risk metrics for a contextualized view

    Compound risk metrics are aggregated indicators that reflect how multiple control signals come together to create - or mitigate- risk in each area.

    Instead of looking at controls in isolation, they ask:

    • Are the right combinations of controls in place?
    • On the right systems?
    • At the right time?
    • In a way that reflects real-world risk exposure?

    Think of it this way:

    A vulnerability on a low-criticality asset with full endpoint protection, limited access, and strong segmentation may not be urgent. But the same vulnerability on an unmonitored, internet-facing, admin-access system with no EDR coverage? That’s a toxic combination of risk, which is a potential attack path that adversaries are actively seeking out.

    In essence, compound metrics help identify the intersections of weakness (toxic combinations of risk) where security controls fail together.

    Compound risk metrics solve the “I don’t know what I don’t know” problem by:

    Creating a bigger (and more complete) window.
    Rather than showing a narrow slice of one control’s performance across one cybersecurity domain, compound risk metrics layer in a supporting context, revealing exposures that individual tools miss.

    Highlight hidden dependencies.
    A metric that shows patching coverage is useful. A metric that shows patching coverage on critical systems that are also missing MFA and EDR is actionable.

    Surface gaps in assurance, not just control.
    You might be running vulnerability scans - but are you scanning all systems? Are you covering unmanaged assets? Panaseer’s Continuous Controls Monitoring platform highlights areas where you think you're covered - but aren't.

    Where to start with compound risk metrics

    If you’re new to compound risk metrics (and you don’t have a CCM platform or system of record, such as Panaseer) it’s best to start small and scale.

    1. Pick a risk theme. 
      Start with one area - say, endpoint security, identity assurance, or cloud misconfigurations. Define what “good” looks like across controls. Ask yourself: “Are the underlying data sources reliable?”
    2. Map the control stack.
      List the controls that reduce that risk. For endpoint hygiene, that might include patching status, AV/EDR coverage, admin rights enforcement, and asset inventory. Ensure definitions are consistent across teams.
    3. Define the compound metric.
      Group these controls into a single composite score or indicator. For example:
      “Percentage of high-value endpoints with full control coverage.”
      Ask yourself: “Is the metric actionable and repeatable?” If the answer is “no”, it’s likely not the right metric.
    4. Visualize over time.
      Continuous insight is more powerful than snapshots. The goal is to see whether risk exposure is increasing or decreasing - not just what it is today.


    Developing a compound risk metrics framework is complex. Keep in mind that you’re aiming to report on groups of controls as one metric that can better translate risk to non-technical executive audiences and is actionable with a clear next step.

    How to surface hidden risk hiding in your cybersecurity metrics

    with Nick Emmanuel, Head of Product Management at Panaseer.

    Watch now

    Compound risk metrics tell a better story

    Cybersecurity risk isn't one-dimensional, so our metrics and reporting shouldn’t be either.

    By combining indicators into compound views, security teams can shift from reporting data to reporting insight, helping stakeholders make smarter decisions and, ultimately, reduce real risk.

    Used in the right way, compound risk metrics can:

    • Improve strategic communication, translating technical signals into business language.
    • Increase operational efficiency by prioritizing remediation efforts based on where risks stack up, not just where tools raise alerts.
    • Better align with emerging regulatory expectations around evidence-based risk management. They demonstrate not only control implementation but control effectiveness in context.
    • Improve cross-team collaboration across silos by moving from isolated KPIs to compound indicators where everyone from IT and security to compliance and risk is working together to raise the bar.

    About the author

    Sarah Garmston

    Related blogs

    View all blogs