From Frameworks to Financials: How to Measure Cyber Security Like a Business Leader

If you ask ten CISOs how they measure their cybersecurity program, nine of them will point to a framework, likely the NIST Cybersecurity Framework (CSF) 2.0. They will show you a maturity score, a color-coded heatmap, and a chart comparing their program to industry peers.

While that is a good starting point, it is far from the whole picture.

Relying solely on maturity frameworks creates a false sense of security. Maturity only answers one question: Are we doing the right things? It does not tell you how well you are doing them, nor does it prove that the investment was worth it. To accurately measure a cybersecurity program, and to communicate that value to executive leadership and the Board, you must move beyond maturity and adopt a three-pillar approach: Maturity, Efficacy, and Risk-Based Quantification.

Pillar 1: Maturity (The "What")

Frameworks like the NIST Cybersecurity Framework (CSF) 2.0 are essential for establishing your programmatic baseline. They break down security into understandable domains (Govern, Identify, Protect, Detect, Respond, Recover) and allow you to measure your posture across people, process, and technology.

Typically measured on a standard 0 to 5 capability maturity model (ranging from non-existent to fully optimized), maturity assessments answer a fundamental question: What are we doing, and do we have repeatable processes in place?

Boards naturally gravitate toward maturity scores because they are easy to digest. They provide a straightforward, quantitative way to answer the question, "Where do we sit against our industry peers?" If the industry average is a 3.0 and your program scores a 3.2, it creates a comforting narrative in the boardroom.

The Trap of the "Checkbox" Mentality

However, relying exclusively on maturity is a dangerous game, and it is where many CISOs get complacent. Maturity is ultimately just an evaluation of documentation, policy, and programmatic existence. You could score a highly mature "Level 4" in Incident Response because you have a beautifully written, fully documented IR plan sitting in a binder. But if your team has never run a tabletop exercise to test that plan during a simulated crisis, your true operational readiness is near zero.

Furthermore, benchmarking against your vertical only tells you if you are keeping up with the pack. If your entire industry is historically under-secured, being slightly above average still leaves you exposed.

If you are building your program correctly, you should never be chasing a number. True maturity means aligning your program directly to the business risk and the strategic goals of the organization. When you do that successfully, you will inherently find yourself on par with, or far exceeding, your peers. It is not about chasing a score; it is about aligning to the relative risk you are actually managing against.

Maturity is only one-third of the puzzle. A high maturity score proves you have built the car; it doesn't prove the car can actually drive at highway speeds or survive a crash. To prove your program actually works, you must move to the second pillar.

Pillar 2: Efficacy (The "How Well")

If maturity is the "what," efficacy is the "how well." You must measure the operational effectiveness of your controls through value-added KPIs. This is where many programs fall into the trap of vanity metrics.

You cannot simply report that "X number of people clicked a phishing email," "Y number of incidents were reported," or "our firewall blocked 10,000 intrusions today." Those are operational raw counts, not measures of value.

Instead, efficacy metrics must demonstrate how well a control is actually performing its job. For example, rather than counting blocked intrusions, measure your Detection Confidence. What is your quantified level of confidence that your defenses can detect the known TTPs (Tactics, Techniques, and Procedures) of the threat actors currently targeting your environment? That is a value-added KPI because it proves your controls are actively mitigating real-world risk, rather than just generating noise and alerts.

A critical, often-overlooked strategy for measuring this efficacy is building a strong partnership with Internal Audit. Audit should be your best friend. Instead of fearing their findings, partner with them during the audit planning phase. Direct them toward areas where you perceive risk, such as M&A integration or a newly built AWS, GCP, or Azure environment.

When you align with Audit, their findings reinforce your assessments. If Cyber is a top-five risk in your company's Enterprise Risk Management (ERM) register, an Audit report highlighting a gap is often the fastest way to get the visibility and funding required to fix it. Couple this with periodic self-assessments and external audits, and you have a robust measure of actual efficacy.

Pillar 3: Risk-Based Quantification (The "Next Steps")

If you build your program correctly, you aren't just chasing a higher maturity score; you are aligning security with business objectives. This is where the third pillar, risk-based quantification, comes in. Risk is fluid, like water running through a stream. You need a way to measure the financial impact of that risk to determine your next move.

When evaluating a new security initiative, quantification allows you to ask the right questions:

• Will this investment meaningfully move the bar on maturity and efficacy?

• Is it aligned with where our actual business risk lies?

• Are we getting the best "bang for our buck," or could we mitigate more risk by funding two smaller initiatives instead?

  
  

There are many complex tools on the market for risk quantification, but they often require an immense amount of business context to function correctly. Sometimes, the most effective approach is to build a simple, pragmatic model yourself. Think of it like a credit score or an insurance quote—it should be a straightforward, relatable formula that translates complex cyber risk into a business decision.

The Boardroom Conversation

When you bring this three-pronged approach to the executive team or the Board, the conversation fundamentally shifts.

You are no longer just presenting a list of technical gaps. You are saying: "Here is our maturity level (we are doing the right things). Here are our value-added metrics (we are doing them well, and we have the detection confidence to prove it). And here is our quantified investment strategy (this is why we are spending money here, and this is the direct, managed risk we are mitigating)."

Crucially, you must always present risk as managed risk. You cannot drop a massive, unmitigated threat in the boardroom without an action plan. By utilizing Maturity, Efficacy, and Risk Quantification, you provide a clear, measured, and business-aligned roadmap that proves the true value of your security program.