Meaningful security metrics continue to be difficult for chief information security officers (CISOs) to create, despite a decade of discussion. Without good metrics, the security team can’t participate in business conversations alongside their peers in sales, marketing, finance, and operations. Additionally, the competence of the CISO is questioned if they can’t provide meaningful data at a time when data is ubiquitous. This report provides a complete guide to security metrics that CISOs can use to align the security team’s efforts, allocate resources strategically, and communicate results to stakeholders throughout the organization with integrity.