In the early 1900s in British India, the government faced a deadly problem: too many venomous cobras. Their solution seemed logical. They offered a cash bounty for every dead cobra brought in.

It worked initially. The snake population dropped. But then, the locals grew inventive. They started farming cobras to kill them and collect the bounty. When the government realized this and scrapped the program, the breeders released their worthless snakes into the wild. The result? The cobra population ended up higher than before the program started.

This is the classic cautionary tale of Goodhart’s Law. Most cybersecurity programs fail for this same simple reason. They violate Goodhart’s Law.

When a measure becomes a target, it stops being a good measure.

I’ve seen this play out repeatedly in many security teams. We introduce metrics to understand risk, and over time those same metrics quietly become goals. Once that happens, behavior shifts. Often not because people are careless or trying to cheat the system, but because they are responding rationally to the incentives in front of them. Basic human behavior.

The Problem: Performance Theatre

Think about the metrics many of us rely on in cybersecurity. Vulnerability counts. Open Critical/High findings. Phishing simulation click rates. Unpatched libraries. Asset coverage percentages. None are inherently wrong. The problem starts when success is defined by improving the number rather than reducing real risk. Teams naturally focus on what is easiest to fix, while harder, more structural issues get deferred.

This is how performance theater creeps in. I’ve watched teams close tickets at impressive speed while long-standing architectural weaknesses remained untouched. Dashboards looked healthy. Reports reassured leadership. Meanwhile, the most critical systems were still exposed. Security improved on paper, not in reality.

The same pattern shows up in awareness programs. In environments where phishing metrics are enforced too aggressively, people stop reporting real emails because they fear being penalized. The measure that was supposed to improve security ends up eroding trust and weakening detection.

The Solution: Tug of War Metrics

The strongest teams I’ve worked with design explicitly for this failure mode. They don’t abandon metrics, but they refuse to let any single metric stand alone. Every measure is paired with a counter-measure that pulls behavior in the opposite direction, a “tug of war” that forces balance.

• If you track Mean Time to Remediate (MTTR), you must also track Incident Recurrence. (Did we fix it fast, or did we just put a band-aid on it?)

• If you track Vulnerability Counts, you must also track Exploitability. (Are we fixing what matters?)

• If you track Alerts Closed, you must also track Detection Gaps. (Are we clearing the queue or missing the signal?)

This balance is intentional. Competing metrics create tension, and that tension forces judgment. Judgment is where real security decisions happen. Without it, numbers become a substitute for thinking.

Culture matters more than most dashboards will ever show. If security makes it difficult for engineers and operators to do their jobs, they will work around it. I’ve learned to pay attention to friction. How hard is it to do the right thing securely? The answer tells you more than most KPIs.

The Takeaway

If your security dashboard always looks calm and green, that is not reassurance. It is a question. Real systems are noisy. Real risk is messy. Goodhart’s Law is your reminder to stop polishing the glass and start listening to the signals underneath it. Balance creates truth.