For example, instead of reporting figures relating to the applications connected to active directory, which Ballarin says doesn’t speak to security’s impact on business success, the security leaders share how investments in incident response and recovery have shortened the downtime that could be expected in the case of an event and — more to the point — the dollar value of how many more sales could happen as a result of the faster recovery time.

“This shows that even though I can’t protect against all the attacks, that if a disaster happens, we have tested what everyone has to do and we can tie that to the [better] recovery time and the business value of being able to recover in a shorter timeline,” he explains.

Better metrics mean more effective communication

The movement to metrics that speak to business value does not negate the need for the longstanding metrics that security teams have used, Fusco and others say, noting that mean time to detect (MTTD), mean time to resolve (MTTR), mean time to contain (MTTC) and other foundational measurements are still important and informative.