Sign in Subscribe
6 min read

Information Security Metrics for Executives: How to Close the Value Gap

Chess piece knocking over a king on a chessboard, representing strategic decision-making in cybersecurity risk management.
Closing the value gap is a strategic move, not a communication exercise - Photo by GR Stocks / Unsplash

April 2026

The gap between how security teams measure their work and how boards evaluate organisational risk is not a presentation problem. It is a structural failure with measurable consequences.

The IBM Cost of a Data Breach Report 2025 put the global average breach cost at $4.44 million. That figure represented the first decline in five years, yet it arrived alongside evidence that the human and operational costs of a breach continue to grow.

Budgets are rising. Outcomes are not improving at the same rate. Something in the middle is broken, and it is not the technology.

Security teams have become highly capable at measuring their own activity: vulnerabilities remediated, alerts triaged, incidents closed. What they have not consistently done is connect those measurements to the outcomes boards use to make decisions.

When those connections are missing, boards fund what they can see and understand, which tends to mean tools and licences rather than the people who operate them. That pattern came through clearly in survey research conducted for this article, with security leaders across sectors describing the same experience independently.

Why Security Teams Report at the Wrong Level for Executive Audiences

Most security leaders are not poor communicators. They are reporting at the wrong altitude.

A board deck full of patch compliance rates and MTTR figures is not a communication failure. Himmatramka describes it as a calibration failure, and the distinction matters. Operational data carries no connective tissue linking it to the decisions the board is being asked to make.

Aparna Himmatramka, Security Engineering Manager at Amazon, describes a Security Metric Maturity Model she developed for security programmes, which progresses through five tiers: Operational (foundational activity data), Compliance, Tactical, Strategic, and Predictive (forward-looking continuous improvement). Her central observation is that executive visibility should increase as you move up the tiers. Boards should rarely see Tier 1 or 2 data in raw form.

Handing a board operational figures and expecting them to draw strategic conclusions is the equivalent of giving a CFO a spreadsheet of individual transactions instead of a profit and loss statement.

The practitioner instinct to show work is understandable. SOC teams are trained to document everything. But the skills that make someone an effective analyst are not the same skills required to communicate risk at board level.

That gap rarely gets addressed because it sits in neither camp cleanly.

When it falls through consistently, the cost is not just a funding conversation. It shows up in breach data.

What the Communication Gap Costs Beyond Budget Discussions

When boards cannot evaluate security value, they make funding decisions by proxy. They fund what they can name and understand, which is usually technology. This is rational behaviour in the absence of a better signal, but the consequences are predictable.

The result is tool proliferation, underinvestment in human capital, and a capability gap that surfaces not in security architecture but in the people responsible for operating it. The ISC2 2025 Cybersecurity Workforce Study found that 95% of respondents reported at least one skills deficiency, with 59% citing critical or significant gaps. Skills shortages now outrank headcount as the most pressing workforce challenge, a finding covered in depth in the CyberDesserts cybersecurity skills roadmap.

That is a board-level risk, not an HR problem: the skills eroding fastest are the ones that stand between an attacker and a successful breach. As our February 2026 cybersecurity career report shows, those gaps are sharpest in cloud security and AI security, the domains where the threat surface is growing fastest.

The Verizon Data Breach Investigations Report 2025 found that 60% of breaches involved a non-malicious human element, a person making an error or falling victim to a social engineering attack. Third-party involvement in breaches doubled to 30% year-on-year, a trend we cover in our Gartner supply chain retrospective.

These are not tool failures. They are people and process failures, and they become predictable when human capital is deprioritised in favour of technology spend.

Our February 2026 threat landscape report tracked phishing as the single most common initial access vector across 200+ monitored threat entities. No tool neutralises that vector without trained people behind it.

Fixing the gap means changing what security leaders bring into the room.

What Executive-Ready Information Security Metrics Look Like in Practice

The translation from operational to executive-ready is not about simplifying data. It is about connecting it to the reference frame a board member works within.

Vulnerability count becomes a multi-dimensional exposure calculation. "We remediated 500 vulnerabilities this month" tells a board nothing useful.

A stronger framing maps risk to operational reality: high-risk vulnerabilities affecting core systems have decreased by 20% over six months. A successful compromise would carry an estimated recovery window of three to five days, representing direct revenue loss for each day of downtime, plus the longer tail of customer trust erosion that takes years to reverse.

Mapped against the IBM 2025 average of $4.44 million per breach and adjusted for your sector, that gives the board a risk quantification they can weigh against programme spend.

Mean time to respond becomes operational continuity. A 30% MTTR improvement is a win for a SOC team. Reframed for the board: our incident response capability means a critical system disruption would be contained within X hours rather than Y hours, which at our revenue per hour represents Z in protected revenue.

Phishing click rate becomes probability of financial exposure. Rather than reporting percentages, translate the figure into the likelihood that a single successful social engineering attempt could result in authorised payment fraud, data exfiltration, or ransomware deployment. The human risk proxy becomes a business risk proxy.

Even with better metrics, security leaders face a harder question: how do you justify the investment when nothing has visibly gone wrong?

How to Justify Cybersecurity ROI When Nothing Bad Has Happened

The absence of incidents is not a value narrative. Justifying security spend by pointing to what has not happened is the equivalent of a finance director claiming credit for revenue that was never at risk.

The more durable frame is insurance logic. Any board that has approved business interruption insurance understands probable loss offset by premium. Security investment maps directly to that model: a realistic incident at your scale carries a calculable probable cost, and the programme spend reduces both the probability and the impact.

There is a named framework for this calculation: Return on Security Investment, or ROSI. At its simplest, ROSI compares the reduction in probable loss against the cost of the control delivering that reduction.

A control costing $50,000 that reduces annual loss expectancy by $200,000 returns 3:1. The inputs require honest estimation rather than precision, but the model gives boards a financial frame they can engage with rather than a technical argument they cannot evaluate.

The human capital argument fits the same model. An analyst who identifies a phishing campaign before it executes does not generate a headline, but the cost avoidance is real and calculable.

The FBI IC3 2024 Annual Report recorded $2.77 billion in BEC losses across 21,442 complaints. That is the baseline for what a single successful social engineering attempt can cost.

Prevention is harder to dramatise than a breach. It is also considerably cheaper. With $2.77 billion in BEC losses recorded in 2024 alone, the question for any board is not whether prevention is worth funding. It is whether the programme is being presented in a way that makes the answer obvious.

One Audit That Will Improve Your Security Board Reporting Immediately

The framework exists. The gap is usually in applying it to what you are already presenting.

Before your next board presentation, apply Himmatramka's framework: pull your last deck and assess every metric by tier. If everything sits at Tier 1 or 2, you are handing the board raw ingredients and asking them to cook the meal.

The target is Tier 4 (Strategic) and Tier 5 (Predictive): metrics that connect security performance to business outcomes and forward-looking risk reduction, not activity counts. That is the level at which boards can make informed decisions about risk tolerance, investment direction, and whether the programme is moving in the right direction.

Start with one metric per domain: your most credible vulnerability management figure, your most meaningful detection metric, and your most relevant human risk indicator. For each one, ask: what business decision does this inform, and what does it mean for revenue, operational continuity, or regulatory exposure?

If you cannot answer that question, either reframe the metric or remove it from the board deck. Operational data belongs in operational reporting.

Boards will keep approving security budgets. The question is whether that spend is being justified on evidence or assumption.

Two things change that. The first is translation: security metrics reframed as revenue risk, operational continuity, and probable loss reduction give boards something they can evaluate rather than accept on trust. The second is Return on Security Investment. ROSI turns the prevention argument into a financial model, one that boards already use when they buy business interruption insurance or approve capital expenditure. The inputs require estimation, not precision. The credibility comes from showing the working.

Together they move security from a cost to be managed into a position the board can govern. That is the shift John Coursen, CISO and Founding Partner at Fortify Cyber, describes: from "are we secure?" to "are we operating within our risk tolerance?" It only happens when the people in the room have the data to answer it.

April 2026

Acknowledgements
Aparna Himmatramka, Security Engineering Manager, Amazon
John Coursen, CISO and Founding Partner, Fortify Cyber

References

IBM Security. (2025). Cost of a Data Breach Report 2025. IBM Corporation.

ISC2. (2025). 2025 ISC2 Cybersecurity Workforce Study. ISC2.

Verizon. (2025). 2025 Data Breach Investigations Report. Verizon Business.

Federal Bureau of Investigation. (2025). 2024 Internet Crime Report. Internet Crime Complaint Center (IC3).

Published by:

Shakel Ahmed

Member discussion