The consequences of cyber attacks are growing increasingly severe. And as “bad actors” become increasingly well-financed, and the “attack surface” where cyber threats are deployed becomes increasingly larger and more complex, it’s becoming practically impossible to ensure that everything is properly patched. To manage cyber risk in this context, we need to fundamentally change the way we measure cyber risk performance. The author discusses three things companies should be doing to improve their current cyber risk measures. While there is no such thing as risk elimination,…