54% of CISOs lack standardized, business-relevant metrics.

Boards most often ask CISOs for the following metrics: risk-reduction trendlines (51%), quantified business impact (47%), and incident-response performance metrics (40%).

Speed of threat detection was used to evaluate AI efficacy by 57% of respondents

Speed of incident response was used to evaluate AI efficacy by 51% of respondents

False positive and negative rates are the No. 1 way that organizations reported that they evaluate the efficacy of AI in security, named by 66% of respondents

More than one-third (37.2% of CISOs) said that no platform has demonstrated its reliability for Compliance as Code.