Cybersecurity leaders are sitting on more data than ever, yet many organisations remain unable to translate it into decisions that resonate at board level.
The core issue is not data scarcity, but the difficulty of converting technical signals into meaningful assessments of business risk. Security teams can track alerts, incidents, throughput, and response times in detail, yet still struggle to explain what those metrics mean for actual organisational exposure.
The result is a widening disconnect between security operations and executive leadership. While most directors now classify cyber issues as a core business risk, only a fraction feel they genuinely understand that risk well enough to manage it effectively.
Even fewer organisations attempt to quantify the financial impact of cyber exposure in terms that can support investment decisions or ROI modelling.
Different Data for Different Audiences
At an operational level, most security teams are comfortable measuring volume-based indicators: how many alerts are generated, how quickly incidents are closed, and how much data is flowing through detection pipelines. These figures are useful for resourcing and operational planning, but they tend to remain inward facing.
Executives, by contrast, are asking fundamentally different questions. Rather than “how many alerts were processed?”boards want to know whether the organisation is becoming safer over time, where its exposure is concentrated, and how it compares to peers in the same industry.
This mismatch creates a persistent translation problem. Security leaders may be able to report improvements in tooling or response times, but struggle to express whether those improvements meaningfully reduce exposure to ransomware, phishing, or other key risks. Without that translation layer, cybersecurity risks remain abstract and difficult to prioritise against competing business investments.
Shifting to Risk-based ROI
A central emerging theme is the need to shift from activity-based metrics to outcome-based measurement. That means moving beyond operational throughput and towards quantifying how security controls reduce risk in financial or comparative terms.
The challenge is that, while the cost of security investments is relatively easy to define, the return on those investments is not. Organisations can readily price new tools, vendors or headcount, but struggle to quantify the corresponding reduction in risk exposure or likelihood of a breach.
This gap leaves security functions exposed to being treated as cost centres rather than strategic enablers. Without a consistent way to map controls and capabilities to measurable reductions in risk, security leaders find it difficult to build a defensible business case for investment.
A further complication is the lack of benchmarking standards. Even when organisations produce internal ‘risk scores’ or maturity ratings, those figures often lack external context. Much like a credit score without reference to peer ranges, a standalone security rating can be difficult to interpret without understanding whether it is strong, average, or weak relative to comparable organisations.
AI Intensifying the Measurement Problem
Artificial intelligence is amplifying these challenges on both sides of the security equation. On one hand, attackers are increasingly using AI to scale and accelerate cyber operations, increasing both the volume and sophistication of threats. On the other, defenders are adopting AI to improve detection, automate triage and support incident response.
The net effect is a more complex threat environment where traditional assumptions about volume versus complexity no longer hold. Instead, organisations face simultaneous increases in attack scale and sophistication, raising the baseline difficulty of maintaining adequate coverage.
At the same time, internal adoption of AI tools is introducing new forms of attack surface. As employees deploy AI-driven systems and ‘agentic’ tools that can access data and perform actions on their behalf, organisations are being forced to treat these systems as part of the security perimeter. This adds yet another dimension to the challenge of measuring coverage and risk exposure in a consistent way.
Achieving Effective Decision Support
There is a maturity curve on which organisations evolve from basic operational measurement towards outcome-driven risk management. At lower levels of maturity, security teams focus on volume metrics and reactive reporting. At intermediate stages, they introduce performance benchmarking and internal targets.
Higher maturity organisations, however, aim to close the loop by directly linking security activity to risk reduction outcomes. This involves mapping technical controls to use cases, aligning them with frameworks such as MITRE ATT&CK, and ultimately expressing coverage in terms that can be compared, tracked over time and tied to investment decisions.
In this model, the goal is not simply to report on security activity, but to model how changes in tooling, process or investment will shift the organisation’s overall risk posture. That allows leaders to move from descriptive reporting (“what happened?”) to predictive analysis (“what will improve if we invest here?”).
The intent is to make security investment more defensible by explicitly linking it to measurable changes in risk exposure, while also giving organisations a clearer view of strengths, weaknesses and comparative performance over time.
