‘Mean Time Before CEO Apologises’ Is The Ultimate Security Metric

‘Mean Time Before CEO Apologises’ Is The Ultimate Security Metric

There are lots of metrics for measuring security readiness and response, but we think this one’s hard to beat: the time between when a security incident occurs at a major company and when the CEO is forced to make a grovelling public apology.

Sorry picture from Shutterstock

Forrester Research analyst Rick Holland suggests the ‘mean time before CEO apologises’ idea in a recent blog post. While it’s tongue-in-cheek, it does highlight one of the most important lessons in IT security: it’s always better to prevent an incident than to have to deal with the aftermath. And since you can’t prevent everything, it’s also crucial to be able to demonstrate everything you did do — since that will help the CEO prepare their apology.

Introducing A New Incident Response Metric: Mean Time Before CEO Apologizes (MTBCA)


  • In a similar vain – we’re still waiting for a media statement from Nanna’s on the mixed berry incident. It’s like the company doesn’t even care to give lip service.

  • When they are lying and downplaying an incident with a ‘that’s the end of it’ statement, they only take a few days to a week. Then they flood the market with diversionary press releases and no mention or follow up ever again.

  • You can’t have a MEAN time to an apology by a CEO for an event unless you have multiple CEOs. It’s just the time to an apology. You could compare it to a mean for other CEOs and other events to see if it was more than the average or not, but that’s it.

Show more comments

Comments are closed.

Log in to comment on this story!