Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves. The fact that established metrics and measures for the full range of security programs are few and far between tells a story about the historical disconnect between these functions and the core businesses they serve. The risk environment has changed significantly over the past 30 years, with shocking wake-up calls to CEOs, boards and shareholders. Attentive corporations have had to address the exposures uncovered in these times with more sophisticated and mainstream corporate security organizations. With this mainstreaming comes the obligation to measure performance and demonstrate bottom-line contributions. Metrics are a natural descendant of this process. It is also essential that we recognize security’s contribution to the corporate system of internal controls.