Opinions expressed by Digital Journal contributors are their own.
Are your cybersecurity investments delivering real value? For Maman Ibrahim, the real test of cybersecurity performance is whether an organization can turn technical risks into business language that leaders understand and use to make decisions. Having led IT audit and risk functions for global companies of more than 100,000 employees, he has built a career around helping executives translate complexity into clarity. Across industries such as telecommunications, pharmaceuticals, and manufacturing, his work has focused on a single goal: making cyber resilience measurable, understandable, and useful.
The challenge of measuring what you don’t see
When cybersecurity functions smoothly, it almost disappears. Systems operate as expected, outages never occur, and potential threats are resolved before they reach headlines. That very success creates a visibility problem. “Cybersecurity has become one of the largest line items in every corporate budget,” Maman explains. “But when everything is working well, it’s challenging for leaders to justify additional investment year after year. If nothing happens, it looks as if there’s nothing to fund.”
Complexity adds to this problem. Security teams must constantly decide which risks deserve attention, often amid new technologies and changing regulations. Meanwhile, executives are left interpreting reports that sound technical and detached from business priorities. “You cannot monitor or control what you cannot measure,” Maman says. The challenge lies in creating measurements that connect security performance to real business outcomes.
Turning metrics into meaning
Over years of advising boards and chief information security officers, Maman has observed that meaningful metrics share certain traits, even if no single formula applies. A metric must be relevant to the company’s strategic priorities, clear enough for a non-technical leader to grasp quickly, and practical enough to guide decision-making.
“If you need half an hour to explain a metric, you’ve got it wrong,” he says. “Cyber metrics should make sense to business leaders in less than a minute.” The key, he adds, is translation. A technical phrase such as “we have a CVE 10 vulnerability” means little to a board, but a description that explains the risk as “a flaw that could delay production” or “reduce system capacity” immediately links it to business performance.
Good metrics also allow leaders to compare progress over time and maintain balance between indicators that forecast risk and those that reflect past performance. The strongest systems, in Maman’s experience, give executives the confidence to answer fundamental questions about how quickly they detect and respond to a disruption, and how adequate their controls are in preventing or mitigating risks without guesswork.
AI, regulation, and the new cyber landscape
New technologies and regulatory frameworks are changing how companies measure effectiveness. Artificial intelligence offers efficiency in collecting and analyzing data, yet Maman is cautious. “Technology will not make your metrics better,” he says. “What makes metrics better is real operational effectiveness. It’s still garbage in, garbage out.”
At the same time, frameworks such as the NIST Cybersecurity Framework, the SEC S-K rules, the Digital Operational Resilience Act, and NIS 2 are pushing organizations toward greater transparency. AI itself introduces new areas that require oversight, including ethics, data privacy, and accountability. Maman believes companies will increasingly need to prove that technology is not only secure but also used responsibly and aligned with corporate values.
From risk to confidence
For Maman, the end goal of measurement is confidence. The strength of a cybersecurity program does not come from the number of metrics but from the clarity of the few that matter most. Poorly designed measurements can obscure risks and weaken trust, while clear, relevant ones allow leaders to act decisively when the stakes are high.
As artificial intelligence and regulation reshape the risk environment, his approach offers a grounded path forward. It connects cybersecurity performance directly to leadership assurance, transforming measurement from a technical exercise into a source of strategic insight.
