Organizations worldwide are failing to deliver cybersecurity metrics that serve their boards, executives, and operational teams, and the emergence of AI has widened that gap significantly. Cyber risk has risen from an operational concern to an existential business risk. Ransomware attacks have shut down companies outright. Regulatory frameworks, including DORA, NIS2, and SEC disclosure rules, now hold boards directly accountable for risk and compliance posture. The stakes have never been higher, yet the tools used to communicate cybersecurity health remain fundamentally misaligned with the audiences that need to act on them.
Just as revenue and expense data flows across every level of an organization, cybersecurity risk intelligence must reach operations, management, and governance audiences, calibrated to each. The message appropriate for a security operations team is not the message appropriate for a board of directors.
More importantly, many CISOs do not know how to communicate with executives and board members, and executives and board members do not know what they want from CISOs. CISOs want to discuss in cybersecurity terms, but executives and board members really only understand business, revenue (dollars), and resilience, and they don’t understand cybersecurity. This data-driven cybersecurity metrics framework was written specifically to deal with that problem in a way that lets the CISO, executives, and board members communicate in a language both understand.
Why cybersecurity metrics are misunderstood
Cybersecurity matured in reverse. Unlike most disciplines that flow from strategy to goals to policies to tactics, cybersecurity built itself from the bottom up: tactics first, strategy last, if ever. The consequences of that legacy persist today:
- Formal strategy is largely an accumulation of small tactical decisions made over decades, never designed for governance audiences.
- Boards are routinely presented with operational metrics — firewall blocks, vulnerability counts, patch rates — that were never built for governance consumption.
- Regulatory pressure is accelerating the problem: governments worldwide now hold executives and boards directly accountable for risk and compliance posture.
- The result is a persistent, structurally embedded mismatch between what cybersecurity teams can easily produce and what governance audiences actually need.
Why executive and board meetings fail to communicate cyber risk
Boards govern. Executives strategize. Neither runs day-to-day operations. Yet most cybersecurity presentations treat them as if they do:
- Executives lack deep cybersecurity domain expertise by design; their role is strategic governance, not running a security operations center.
- When metrics are misaligned, board meetings devolve into data dumps, forcing executives to decode technical minutiae rather than engage in meaningful risk dialogue. A single DLP block statistic can consume an hour of board time with no actionable outcome.
- CISOs typically rise through technical security leadership, not business management, limiting their experience translating risk into the language of business strategy.
- Board-level cybersecurity accountability is a relatively recent demand, driven by the ransomware pandemic rather than strategic planning. There is no established playbook; most CISOs learned by trial and error.
- The result: CISOs default to presenting what they have — operational metrics — and boards are left searching for the risk signal buried in the technical noise.
Why traditional metrics failed everyone
The failure wasn’t malicious. It was structural. Both sides operated in good faith with the wrong tools:
- Metrics were built from available data, not from audience needs. Current metrics are often fragmented across multiple repositories and formats, making collection laborious and time-consuming.
- What existed was appropriate for operations management — rarely in a form useful for executive decision-making.
- Noncompliance rates, firewall blocks, and vulnerability scan results are tactical measures with no clear call to action at the executive level.
- Management asked, “Are we OK?” and received patching statistics in response: a fundamental mismatch between the question asked and the answer provided.
- Tactical metrics aid day-to-day program management but lack the context and comprehensiveness required for strategic leadership. Without a centralized intelligence platform, this gap cannot be closed.
How AI has changed the metrics imperative
AI has added two urgent, distinct dimensions to an already unsolved problem.
Offensive: AI as an adversarial weapon
- Threat actors are weaponizing AI to generate convincing phishing campaigns at unprecedented scale.
- Deepfake audio and video are being used to impersonate executives and manipulate internal decision-making.
- AI accelerates vulnerability discovery, exploit development, and evasion of traditional detection controls.
- The net effect: faster, higher-volume, more sophisticated attacks, with compressed detection and response windows.
Defensive: Ungoverned internal AI deployments
- Organizations are embedding AI into products, services, and operational decisions at a pace that far outstrips governance and oversight controls.
- Shadow AI, agentic AI, and SaaS-embedded AI are widely deployed and largely untracked.
- This creates a new class of enterprise risk: model failures, hallucinated outputs influencing strategy, customer harm, and regulatory exposure.
- Without AI-focused metrics at every organizational level, the gap between the questions executives are asking and the answers cybersecurity leaders can provide will only widen.
The qualities of data-driven metrics
Data-driven metrics must serve specific audiences, telling a coherent story calibrated to each stakeholder’s role, accountability, and risk exposure. Three tiers are required:
| Governance (Board/C-Suite) | Strategic risk oversight, compliance posture, AI governance status. 6–10 high-signal metrics organized across 4 IDC-defined categories. |
| Managerial (C-Suite/LOB/Ops Management) | Program health, AI incident trends, shadow AI exposure, regulatory compliance progress. Both strategic and tactical in nature. |
| Operational (CISO/Functional Teams) | Day-to-day control effectiveness, AI attack surface, shadow AI detection, hallucination monitoring, data protection. Essential for execution teams; too granular for boards. |
Effective data-driven metrics share these qualities:
- Audience-specific: Each tier receives only what is relevant to its function, accountability, and decision-making authority.
- Outcome-driven: They measure progress toward defined business objectives, not activity volume.
- Actionable: Every metric carries an implicit or explicit call to action, enabling informed, confident decisions.
- Contextual: Risk is framed in financial, operational, or reputational terms, not technical jargon.
- AI-inclusive: Every tier must now incorporate AI-specific risk intelligence alongside traditional cybersecurity metrics.
Elements to consider in crafting metrics
Building metrics that work requires a structured, iterative process anchored in business context, not available data.
1. Understand the risks
- Begin with the business: define key functions, processes, and associated risks before mapping them to cybersecurity priorities.
- Engage stakeholders from IT, audit, legal, risk, compliance, BISOs, and senior executives to build consensus around what matters most.
- Incorporate AI as both an internal operational risk (from the organization’s own deployments) and an external threat vector.
- Expand the stakeholder group to include AI governance officers, AI product owners, and legal or privacy counsel with AI expertise.
2. Align data collection
- Shape metrics collection around agreed risks, automating data sources through GRC platforms capable of generating audience-specific intelligence.
- Treat AI systems as first-class data sources: model inventories, output logs, decision audit trails, and third-party AI component registries are required inputs alongside traditional telemetry.
3. Analyze the Data
- Use automation and AI to analyze large volumes of contextual intelligence against the risk register, surfacing asset ownership gaps, CMDB inaccuracies, and emerging risks.
- AI-generated analyses must be subject to human validation before informing decisions.
- AI output accuracy should itself become a tracked and reported metric.
4. Interpret Results in Business Terms
- Outcomes must be specific, measurable, and meaningful — for example, a DLP implementation should show users changing behavior, exfiltration declining, and residual risk being quantified.
- When AI systems produce outcomes, interpretive frameworks must distinguish human-driven from AI-driven results and assess accuracy and fairness, not just control effectiveness.
- AI-generated recommendations must never be treated as equivalent to validated analyst conclusions.
5. Consider the stakeholders
- Manufacturing LOBs: focused on process uptime and network segmentation risks.
- eCommerce LOBs: focused on application security and architecture risks.
- AI-deploying LOBs: carry distinct AI-related cybersecurity risks requiring specific communication.
- Expand the model to include AI product owners, data scientists, and AI governance officers wherever AI intersects cybersecurity risk.
6. Empower decision-making and monitor continuously
- Cybersecurity leaders own the recommendation; the risk decision belongs to the business owner accountable for it. Their role is to build a story that lets decision owners act with confidence.
- Monitor for model drift; schedule regular AI system reevaluation and retraining.
- Continuously retire irrelevant risks and elevate newly emerging ones, including those introduced by evolving AI deployments.
- Embed AI governance explicitly: model approval policies, mandatory preproduction risk assessments, human review standards for high-risk AI decisions, and AI incident management procedures are all required.
Want the full framework? Download the Beyond the Data Dump report for detailed metric specifications, audience-tier breakdowns, and IDC’s complete recommendations.
What is needed for data-driven metrics
Effective data-driven metrics communicate risk likelihood versus business impact. They go beyond statistics to deliver actionable insights supporting both strategic and tactical decision-making. Achieving this requires:
- A centralized intelligence repository consolidating contextual business, IT, and cybersecurity data, including AI-specific signals, into a single, consistent source of truth.
- Three metric tiers (governance, managerial, and operational) generated consistently over time from that single source.
- AI-specific metrics at every tier: shadow AI detection, AI regulatory compliance posture, agentic AI governance, model IP protection, SaaS-embedded AI risk, and AI output integrity.
- Automation, machine learning, orchestration, and AI to generate an ever-evolving set of metrics and adjacent risk insights.
- Audience-specific dashboarding and stakeholder messaging that translates technical cybersecurity data into business risk language, calibrated to the level of accountability and required response.
The role of GRC platforms and intelligence fabric
Modern GRC platforms are uniquely positioned to close the metrics gap. By consolidating internal and external business, IT, and cybersecurity intelligence into a single repository, enhanced through automation, machine learning, and AI, they power consistent, audience-specific metrics at scale.
The intelligence fabric is the contextual data layer at the core of a modern GRC platform. It must enrich the risk register with:
- Newly discovered assets and their sensitivity classifications
- Potential data and asset ownership
- Estimated monetary impact of risks and compliance issues
- Contextual interpretation of risks against organizational policies
The fabric must now extend to AI-specific intelligence, organized by metric type so each audience sees the right signal at the right altitude:
| 1. Cybersecurity risk posture | 2. Compliance posture | 3. Program outcomes | 4. AI governance status |
This includes:
- AI model inventories and ownership records
- Shadow AI detection signals
- AI output logs and decision audit trails
- AI regulatory compliance mapping (EU AI Act, NIST AI RMF, and sector-specific requirements)
What this enables:
- Single source of truth: Centralized GRC intelligence across cybersecurity, IT, and business functions.
- Audience-specific dashboards: SOC views for operational teams; risk posture views for executives and boards.
- Outcome-driven metrics: Actionable statistics, trends, and risk-driven insights tied to business objectives.
- Targeted stakeholder messaging: Calibrated by audience and required response — for-your-information only, executive risk-based decision required, or action needed (e.g., budget approval).
- Reduced human bias: AI-assisted analysis increases consistency and accuracy across the metrics program.
Advice for technology buyers and suppliers
For the technology buyer
A passing awareness of cybersecurity posture is no longer acceptable at any level of leadership. Buyers should:
- Partner with a qualified cybersecurity GRC software provider experienced in collecting, analyzing, and generating audience-appropriate metrics aligned to this three-tier framework.
- Ensure the platform consolidates contextual business, IT, and cybersecurity intelligence, internal and external, into a robust, integrated repository.
- Demand at least three levels of metrics: governance (strategic), managerial (strategic and tactical), and operational (tactical), generated consistently over time from a single source.
- Require AI-specific risk metrics across all three tiers: shadow AI detection, AI regulatory compliance posture, agentic AI governance, model IP protection, and SaaS-embedded AI risk.
- Insist on automation, machine learning, and orchestration to generate an evolving metrics program that stays ahead of the threat and regulatory landscape.
- Boards must be able to confirm: Are AI systems governed? Is AI risk being measured? Are AI incidents — regulatory actions, customer harm, reputational damage — being proactively managed and reported?
For the technology supplier and services provider
The market opportunity is clear, immediate, and structurally durable. Organizations at every level need current, audience-appropriate visibility into cybersecurity risk and compliance posture, and most lack the platforms, skills, and frameworks to deliver it. Suppliers should:
- Build or extend GRC platforms with a consolidated intelligence repository that centralizes business, IT, and cybersecurity data to power consistent, audience-specific metrics at scale.
- Deliver all three metric tiers (governance, managerial, and operational) from a single consolidated intelligence source. Providers who can do this address a gap most organizations cannot close without external platform support.
- Invest in audience-specific dashboarding that translates technical cybersecurity data into business risk language, designed for boards, executives, and operational teams alike.
- Incorporate AI governance metrics: shadow AI detection, AI regulatory compliance posture, agentic AI risk, and model IP protection across all three audience tiers.
- Develop consulting and managed service offerings that help customers build data-driven, AI-inclusive metrics programs and bridge the business acumen gap most cybersecurity teams face.
- Providers who help CISOs speak the board’s language, translating cyber-risk into business risk, will earn lasting customer loyalty and reduce competitive displacement risk.
“The cybersecurity metrics market is at an inflection point. Customers are being held accountable for AI risks they cannot yet measure, and boards are demanding business risk context that most security tools still cannot deliver. Technology and service providers that step into this gap, with consolidated intelligence platforms, audience-specific metrics, and AI governance capabilities, will define the next generation of cybersecurity and GRC market leadership.” — Philip D. Harris, Research Director, Governance, Risk, and Compliance Solutions, IDC
Download the Beyond the Data Dump report for the complete cybersecurity metrics framework, detailed AI governance specifications, and IDC’s full buyer and supplier recommendations..