Green Is Not Safe: The Dashboard Lie
Green dashboards are bedtime stories with traffic lights.
The board sees green. The managed service provider says green. The vendor console says green. Everyone exhales. And then an incident happens, and everybody discovers, all at once, that the green meant we did not look deeply enough.
I want to be careful here, because this is the point where I usually get accused of being against reporting altogether. I am not. Businesses need simple indicators. A 20-person firm cannot have its owner reading raw firewall logs over breakfast. Simple status matters. The dashboard is not the enemy. The bad use of the dashboard is the enemy.
So let me say the quiet part out loud. Green boxes and vibes have become the native language of weak assurance. And it is costing businesses real money, because it persuades them that nothing is wrong right up until the moment everything is.
What Green Actually Measures
Here is the trick of the green tile. It tells you that a thing is doing what it was configured to do. It does not tell you whether what it was configured to do is the right thing, whether it is enough, or whether someone walked past it last Tuesday.
A firewall tile can be cheerfully green while the management interface is exposed to the internet. An endpoint tile can be green while a finance director runs as a local administrator with no multi-factor authentication. A backup tile can be green because the job completed, while the restore has never once been tested and a single compromised account could delete the lot.
This is not hypothetical. The Fortinet edge-device flaws over the past winter were exploited through authentication bypass. On affected devices, attackers changed firewall configuration, created new admin accounts, and altered virtual private network settings. None of that necessarily turns a status tile red. The device is up. The service is running. The light is green. And someone is quietly cutting new keys behind it.
Attackers do not care about green. They care about reachable management, weak authentication, stale credentials, unmonitored change, and poor segmentation. Not one of those things is what a reassuring green tile is measuring.
A Report Should Show Movement, Not Status
Graham challenged me on this during the round table, and he was right to. Businesses do need reporting. So what should a good report actually show?
Not status. Movement.
What changed this period? What failed? What was patched? What could not be patched, and why? What is exposed? What is overdue? What risk needs a decision? And who owns the next action?
That is a report that respects the reader. It separates noise from threat. Because ten thousand alerts do not help a business. Ten meaningful signals with a response action attached might. If your report cannot tell the difference between busy and dangerous, it is not security reporting. It is confetti. Expensive, colourful, and gone by Monday.
A useful report makes accountability visible. It does not say everything is fine. It says: here is what moved, here is what it means, here is the decision you need to make, and here is the person who owns it. The board does not need to understand the technical detail underneath. It needs to see that the detail exists, that someone is reading it, and that the uncomfortable items are not being quietly painted green.
The Comfort Industry
Let me name the actual problem, because it is not the colour green. It is the market for comfort.
Too many businesses are buying reassurance, and the industry is very happy to sell it. A monthly PDF nobody reads. A console of tiles that are green because nothing is checking the things that would turn them red. A provider who says “we are aware of this issue” and considers the matter closed, when “we are aware” is what people say when they want credit for receiving an email.
If you only buy reassurance, you will be sold reassurance. That is not a moral failing on the buyer’s part. It is a predictable result of asking the wrong question. The fix is to change the question. Stop buying comfort. Start buying outcomes. Reduced exposure. Faster patching. Stronger identity. Tested recovery. Better logging. Clear ownership. Faster response. Evidence you can actually show someone.
And fewer assumptions. Because assumptions are where accountability goes to hide. We assumed the provider had it. We assumed the firewall was current. We assumed the backups worked. We assumed the old users were gone. We assumed the logs existed. Assumption is not a control. It is a green tile in human form.
How to Turn This Into a Competitive Advantage
The business that reads its reports properly is quietly winning work.
You can prove what others can only claim. When a client asks how you manage security, a report that shows movement, decisions, and owners is evidence. A screenshot of green tiles is wallpaper. Buyers can tell the difference, and the ones who matter are starting to ask.
You spend your budget on outcomes, not theatre. Once you stop paying for comfort, the same money buys real reduction in exposure. That is a margin advantage your competitors who are still buying PDFs do not have.
How to Sell This to Your Board
Three points, in language a board respects.
A green dashboard is not evidence of reasonable steps. Regulators, insurers, and customers increasingly ask whether reasonable steps were taken. “Our dashboard was green” is not an answer any of them accept. A report showing decisions and owners is.
Movement reporting turns cyber into a normal business risk. Boards manage risk by reviewing what changed and deciding what to do about it. A report built around movement fits how a board already works. A wall of green does not give them anything to decide, which is precisely why it feels comfortable and achieves nothing.
The change costs nothing but the courage to ask for it. You are not approving a new platform. You are telling your provider you want reporting that shows risk and ownership, not status tiles. If that request causes friction, the friction is information.
What This Means for Your Business
-
Ask what each green tile is actually measuring. If the answer is “the service is running,” that is uptime, not security. Demand to know what would have to be true for it to turn red.
-
Replace status reports with movement reports. Tell your provider you want what changed, what failed, what is exposed, what is overdue, and who owns the next action. Covered in the practical detail of the ten questions to ask your provider.
-
Check the things green never shows. Exposed management interfaces, admin accounts without multi-factor authentication, stale users, and untested backups. Start with keeping remote access off the open internet.
-
Test one thing this week that has only ever been green. Restore a backup. Confirm an old user is gone. Verify management is not internet-facing. Turn one assumption into evidence.
-
Name the owner of the next action. Every report should end with a decision and a person. Without that, it is decoration.
Green is not safe. Green is a colour. Safe is a verb that someone has to keep doing. Stop accepting fog, stop mistaking a quiet dashboard for a secure business, and start asking what the green is hiding. If that annoys your reporting vendor, good. I shall try to recover emotionally.
Related Posts: