When presenting to the board on security, which are more impactful: leading indicators or trailing indicators?

Both lead and lag indicators serve a purpose...reliance on only one could skew the picture. I believe a balanced approach to be more beneficial...show a bit of both (learn from the past to inform the future, and learn from environmental analysis to inform decisions)

Leading indicators are more impactful to the board, showing the security measures implemented and the effectiveness, by showing security metrics results. Trailing indicators can show the contrast of security in place currently against the past.

Leading indicators versus trailing indicators is the biggest thing in the private space, which is where I have all of my experience at this point, so there's a bit of bias there. But boards are looking for leading indicators. If you're talking about trailing indicators, they're useful in as much as they confirm a thing that you planned to do in the past, so it's attainment to target. For example, let’s say you wanted to implement MFA and have 99% usage across the organization. You slated that for Q1 and hit the target early in terms of proactively rolling forward and hitting these projects on time, on budget and to plan. The more of that stuff you can surface, the better.