Dear renegades, mavericks, and deviants,
All security leaders should watch the classic film 12 Angry Men. (Honestly, everyone should, but especially you.)
We’re in a sweltering jury room, the rain beating down outside. A young defendant’s life hangs in the balance. Eleven hands go up for “guilty”. But one juror isn’t sure.
What the outlier does next changes everything. He doesn’t conjure up new evidence, just tests what’s already on the table.
Bit by bit, a new narrative comes to light. The story changes. And so does the verdict.
And one of our (many, many) jobs as security leaders is to tell the true story from the evidence and make it matter.
I know two questions come up with teams every week:
“How do I get better at telling the story of our work through data?”
“How do we use data to better explain success?”
They’re the right questions.
The short answer is that it’s less about the metric itself and more about the mindset behind it. How you define “success” sets the story you’re able to tell (and the outcomes).
Have you noticed how most human-risk stories sit in one of three places?
First, there are the inputs (success = doing something)
This story sounds like “we sent twelve phishing campaigns, launched six training modules, deployed forty 40K nudges.”
It proves you were busy and helps with compliance or resourcing chats, but it stops at effort. It’s useful for showing motion, but not change. If you end here, you’re asking people to assume impact.
Then there are the outputs (success = what happened immediately after)
This is more like “ninety-three percent completed, quiz scores averaged eighty-nine, click rates dipped, reports went up”.
It’s better than inputs, because it shows reach and reaction. But it’s still limited, because it doesn’t tell a leader what actually shifted in the real world. Did risk fall, did something get faster, did the cost come down? We don’t know, because outputs hint at things, rather than actually closing the loop.
Finally, the outcomes (success = what ultimately changed)
This version starts where decision-makers care. It might look like: “unsafe sharing incidents dropped, time to revoke access for leavers shrank from weeks to days, payroll fraud losses were avoided, high-severity patches landed sooner, service downtime fell.”
Yes, it’s harder to measure, and yes, it needs a baseline. But this is the evidence that moves minds (and budgets). Outcomes link behavior to reduced exposure, speed, and savings. And these are the bits the organization feels.
I know the distinction takes some unpacking, so I put together some notes in my blog on a security metrics reboot.
Where you land today is shaped by maturity, context, and what your organization cares about. If your world is mostly compliance, an inputs/outputs story can be enough.
But if your leadership cares about risk reduction, productivity, or cost (which in my experience is 99% of them), the center of gravity has to move to outcomes.
That’s why I say start with the end and build from there, like this:
- What are you ultimately trying to achieve? (Get really specific.)
- What indicators would genuinely prove it?
- What data would measure those indicators reliably?
- Then collect a baseline, and track change over time.
This doesn’t need to be complicated. When you go all-in on outcomes-first, your inputs and outputs become the supporting evidence, not the main event.
So, be the juror who asks for ten more minutes, who asks better questions. What outcome are we trying to prove? What would count as evidence?
And start at the end. Define success in outcomes. Then build that story with data that logically leads there.
If you want examples that map human-risk work to business priorities, I put together this helpful list. And if “be more data-driven” gets said a lot where you work, take a look at this newsletter on what this overused term actually means.
It’s sometimes lonely being the outlier. So if it would help to work on your current story, book in time with me and we’ll roll up our sleeves together.
Oz A