Turning Security Metrics into Board-Level Risk Reduction
Security leaders are often asked to solve two different problems at the same time. The first is technical: understanding where attacks are happening, which controls are working, and where the organization remains exposed. The second is commercial: explaining whether the investments being made in security are reducing the likelihood and cost of a breach in a way the business can understand.
Those two problems often run on separate tracks. The technical reality of identity attacks, third-party access, detection engineering, and incident response can be well understood inside the security function, while the board and executive team are focused on risk, resilience, cost, and business outcomes. Connecting those two tracks is one of the most important responsibilities of the CISO, and it’s also one of the hardest.
We’re exploring how CISOs can connect security metrics to business risk, why the most important board conversations often happen before the formal meeting, and how security leaders can frame investments in detection, response, outsourcing, and AI as practical ways to reduce both the likelihood and impact of a breach.
Security Metrics Must Show Security Risk Reduction
For the last five years, identity has been the major vector behind most attacks we see. The initial problem is usually not novel exploitation, and only a small percentage comes from cloud exploitation. Those risks exist, but the practical reality is that many attacks begin with identity.
That creates a challenge for board reporting. There are technical questions that matter inside the security program: Have we implemented multifactor authentication? Do our applications support it? How are roles provisioned? How do onboarding and offboarding work? Those are important mechanics, but they’re not the questions a board should be spending time on.
The board-level question is whether investments in those areas are reducing risk to the business. If the organization spends a certain amount on the security program, can we show that the investment has reduced the likelihood of a breach? Just as importantly, can we show that it has reduced the cost of a breach when one happens? That’s where prevention and resilience come together, but metrics become difficult.
In many cases, the security team does not fully own the solution. A CISO might implement Okta, Entra, or another multifactor authentication suite across the company, and that may protect the organization within its four walls, but the business still needs to function. Sales teams and support teams may hire third or fourth parties who need access to systems and sensitive data. Technology teams may have to deliver that access, sometimes with security controls that sit outside the CISO’s direct span of control.
That means when a board may ask whether the company invested in multifactor authentication, the honest answer is yes, but it doesn’t actually cover everything in the broader environment. Even highly sophisticated security programs can be affected by these kinds of issues. This is why the job is so difficult: the CISO must present a clear case for risk avoidance without having the time in the board meeting itself, to explain every nuance.
The best CISOs can drive outcomes even when some of the levers sit outside their direct control. That requires translating technical exposure into business risk, while being clear about what a given investment can and cannot solve.
Board Security Conversations Start Before the Board Meeting
One of the biggest mistakes a CISO can make is assuming the board meeting is where the real conversation happens. In practice, the board meeting is more like a performance. It’s the formal moment where the story is presented to investors, directors, or public stakeholders. The real action happens before that meeting.
The most important conversations are the pre-reads, the relationship-building, and the discussions that make sure nobody is surprised. If I’m presenting metrics, I want the right people to understand what is not in those metrics. If I’m asking for budget for a technology that helps monitor fourth-party risk, I want the CFO, general counsel, audit committee, or relevant board members to understand why that request is connected to the broader risk story.
That context rarely lands properly for the first time in a board meeting. The CISO needs allies who understand what is being said, what it really means, and why the funding request matters. In those earlier conversations, there’s more room to explain the strategy, the trade-offs, and what the organization should expect on the far side of the investment.
The path to budget depends heavily on the audience. In my current role, I’m in a privileged position because our board is made up of cybersecurity experts and venture capitalists. I don’t have to explain the basics of the problem in the same way many CISOs do. In other organizations, the real decision-makers may be the CFO, the general counsel, or other leaders responsible for risk management.
That changes the language. With an attorney, the conversation may need to focus on risk reduction in the broader context of the organization. With a CFO, the conversation will often be about dollars and cents. The executive skill is learning what people care about, solving their problems, and then helping them understand how they can help solve yours.
This isn’t unique to security. It’s how all executives get things done. But in cybersecurity, the translation burden is especially high because the mechanics can be deeply technical, while the funding decision is fundamentally about business value.
Security Risk Reduction Needs Speed, Scale and Judgement
Inside the security organization, there are many technical measures that matter. Security operators care about metrics such as mean time to respond (MTTR), high-quality detection engineering, MITRE ATT&CK coverage, surface coverage, and threat intelligence. CISOs should care about those things when they evaluate the operations of their security function.
But that’s not necessarily how I would frame the business case to a CFO. For a CFO, the question is whether this is a high-leverage way to solve an operational problem. That problem includes 24-hour coverage, high-quality detection engineering at scale, visibility across the attack surface, and forward-looking threat intelligence based on what we see across 500 customers. Because this is all we focus on, we can often provide that capability more efficiently than an organization trying to hire and maintain the same team internally.
The same point applies to leading-edge threats. When recent vulnerabilities or activity from sophisticated threat actors emerge, we can see patterns across our customer base, rapidly develop intelligence, create detections, conduct retrospective hunts, and deploy those improvements within hours, and in some cases minutes. Some internal security programs can do that, but they represent a very small percentage of the market. For many organizations, the question is whether they want that capability and whether they can justify building it alone.
AI now adds another layer to this conversation. There are many strong opinions about AI in security operations, and there’s significant investment flowing into the space. Some of the ideas are excellent, and there is no doubt that AI will change security operations, but the more important question is how it helps.
You don’t want to run every alert from every vendor through a large language model (LLM). That’s unlikely to be cost-effective, time-effective, or even fully reliable. The better approach is to use the right tool for the right stage of the pipeline. AI is not just one thing and treating it as a single entity leads to poor decisions.
A good example is identity triage. Identity is hard because every environment is different. Some companies expect employees to log in from VPNs, and some don’t. Most companies view Tor exit nodes as suspicious, but not every environment behaves the same way. Determining what’s bad in a specific environment is difficult, even for the company itself.
That’s where machine learning can help as we have built models that make identity activity much easier to understand, but we still keep analysts in the loop. The goal isn’t to remove human judgement, but to give the analyst the right information and a strong hypothesis to confirm, instead of forcing them to manually assemble context from scratch.
What Do CISOS Need to Do?
Attackers are also using advanced technologies, and the speed and scale of defense will have to respond. CISOs will need to explain to boards and CFOs how they’re adapting as attacks move from hours to minutes, or from minutes to seconds, without changing the cost curve of the business beyond reason.
The answer won’t be technology alone. It’ll be a combination of high-quality outsourcing, targeted AI, strong human judgement, and clear communication about risk reduction. For senior cybersecurity leaders, that’s the conversation that matters most: not whether a control exists, but whether the organization can show that its investments are reducing risk in a measurable, credible, and economically sensible way.