A regular audience with executive management and the board is part of the CISO role now. And security leaders know they need to bring measurable information to the conversation to explain and justify their performance and spending. Metrics are no longer optional in security management, and if risk leaders aren’t tracking elements such as mean time to detect and respond as well as attack frequency, they are leaving out a valuable aspect of a holistic security program.