Organizations today face the critical challenge of implementing robust security measures and effectively measuring their impact. As we move into 2024, this challenge becomes increasingly complex, with heightened scrutiny from boards and regulatory bodies demanding clearer insights into an organization's security posture. The need for quantifiable metrics in information security programs is paramount to safeguarding against threats and securing necessary funding and support from decision-makers. The core of this issue lies in developing and implementing metrics that accurately reflect the effectiveness and efficiency of security initiatives. These metrics must be carefully aligned with the organization's specific security goals and overall business objectives. They serve a dual purpose: firstly, as a tool for internal assessment and continuous improvement of the security program, and secondly, to communicate the program's value and needs to non-technical stakeholders, including executive boards and investors.