Safeguard
DevSecOps

Why Security and Engineering KPIs Are Still Misaligned in...

Security teams chase CVSS scores and SLA compliance while engineering chases velocity and uptime—two scorecards that were never built to agree.

Priya Mehta
DevSecOps Engineer
7 min read

Every engineering org tracks deploy frequency, lead time for changes, and mean time to recovery. Every security org tracks mean time to remediate, patch SLA compliance, and vulnerability backlog age. These sound like they should reinforce each other, but in practice they rarely do. A critical CVE that security flags on a Tuesday competes for the same two-week sprint as a customer-facing feature a product manager already promised for Friday. Security's KPI says the CVE should close in 15 days. Engineering's KPI says the sprint commitment should close on time. Only one of those numbers actually moves the org's risk posture, but both show up green on their respective dashboards. This is the quiet failure mode inside most software companies: two functions, two scorecards, and no shared unit of account for risk. It isn't a competence problem — it's a structural incentive gap that has been quietly compounding for years, one sprint at a time.

Why do security and engineering measure success with completely different numbers?

Because the two functions were built to optimize for opposite failure modes. Security KPIs are exposure metrics — mean time to remediate (MTTR), percentage of vulnerabilities fixed within SLA, backlog age by severity — designed to answer "how long were we vulnerable?" Engineering KPIs are delivery metrics — velocity, lead time for changes, deployment frequency, change failure rate — designed to answer "how fast can we ship safely?" A team can hit 95% of its DORA delivery targets in a quarter while its critical vulnerability backlog quietly grows from 40 to 140 items, and neither number is "wrong." They're just not measuring the same thing, and nobody at the VP level has defined what tradeoff rate between them is acceptable. Most orgs default to whichever metric has an executive sponsor watching it that week, which is why security debt tends to lose by default.

What happens when a critical CVE lands mid-sprint?

It gets triaged, ticketed, and then quietly deprioritized, because missing a sprint commitment is visible in Monday's standup while missing a remediation SLA is visible only in a quarterly security review three months later. This is exactly how Log4Shell (CVE-2021-44228, disclosed December 10, 2021) played out inside plenty of engineering orgs: security teams declared it a same-week, drop-everything fix, while several product teams pushed the actual production patch into the next sprint because the current one was already fully committed. Gartner and multiple incident post-mortems from that period noted organizations were still finding unpatched instances of Log4j more than a year later — not because teams didn't know about it, but because "patch Log4j" had to win a prioritization fight against features with their own deadlines, and it usually didn't have a KPI attached that anyone's bonus depended on.

Why does "time to remediate" mean something different to each team?

Because security starts the clock at disclosure and stops it at production deployment, while engineering considers a ticket "done" the moment a pull request merges — even if that code sits behind a release train for weeks. A critical vulnerability disclosed on day 1 might get a PR merged by day 5, which engineering logs as a five-day turnaround. But if the release train only ships to production every three weeks, the actual exposure window is closer to 20 days, and security's SLA dashboard — which tracks by deployment, not by merge — shows an SLA breach that engineering's dashboard never registers at all. Multiply that gap across a 30/60/90-day SLA tiering scheme for critical/high/medium severities, and you get two teams that can both report "on track" in the same retro while the actual production exposure tells a different story.

Does a CVSS score actually predict what engineering will work on next?

No — a CVE with a 9.8 CVSS score and no known exploit routinely loses a prioritization fight to a 6.1 that's blocking a customer's compliance audit due in five days. CVSS measures theoretical severity, not exploitability or business context, which is why EPSS (Exploit Prediction Scoring System) adoption has grown since its 2021 introduction — it estimates the probability a vulnerability will actually be exploited in the next 30 days, and the two scores frequently disagree. Engineering teams, meanwhile, prioritize almost entirely off ticket labels like "blocker," "customer-escalation," or "audit-blocking," which have nothing to do with either score. The result is a system where a security team's "top priority" list and an engineering team's "top priority" list can share zero overlap in a given sprint, and there's no mechanism forcing reconciliation until an auditor or an incident does it for them.

Can leadership see this misalignment before it turns into an incident?

Rarely, because the CISO's risk dashboard and the CTO's delivery dashboard are usually built on entirely separate data sources and only get reconciled manually during quarterly business reviews. By the time that reconciliation happens, vulnerabilities that were "in progress" on day 10 are often sitting at 60–90 days past SLA, and the conversation shifts from prevention to explanation. This is compounded in orgs running SOC 2 or ISO 27001 programs, where the compliance team pulls a third, separate view of the same vulnerability data for audit purposes — meaning a single CVE can have three different "status" values (engineering ticket status, security SLA status, audit evidence status) depending on which team you ask, none of which were ever designed to talk to each other.

What would it actually take to align the two scorecards without slowing either team down?

It takes collapsing the metrics into one shared source of truth instead of trying to get two departments to agree on separate dashboards. That means measuring remediation from disclosure to production deployment (not to merge), prioritizing by exploitability and business context (not CVSS alone), and putting the resulting work directly into the same backlog engineering already plans sprints from — not a separate GRC ticketing system that engineers check once a quarter. Orgs that have done this successfully typically report vulnerability SLA compliance as a joint KPI reviewed in the same forum as delivery metrics, so a missed remediation date has the same visibility as a missed sprint commitment, rather than surfacing only when an auditor asks for evidence.

How Safeguard Helps

Safeguard is built specifically to close this gap rather than paper over it with another dashboard nobody checks. Instead of generating a CVE list that security has to manually translate into engineering tickets, Safeguard maps every vulnerability across your software supply chain — SBOM components, container images, CI/CD dependencies — to actual reachability and exploitability context, so a 9.8 CVSS finding with no real attack path doesn't drown out the 6.1 that's actually exploitable in your environment. That prioritized, business-context-aware list flows directly into the ticketing and sprint tooling engineering already uses, so remediation work shows up where planning actually happens instead of in a separate compliance queue.

Safeguard also tracks the full exposure window the way security actually needs it measured — from disclosure to verified production deployment, not to PR merge — giving both security and engineering leadership the same number instead of two conflicting ones. For teams running SOC 2 or similar compliance programs, that same data doubles as continuously current audit evidence, eliminating the quarterly scramble to reconcile three versions of the same vulnerability's status. The goal isn't to hand security a better dashboard or hand engineering a lighter backlog — it's to make sure both teams are finally looking at the same clock.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.