Cybersecurity programs are commonly measured using activity-based metrics such as controls implemented, alerts generated, or vulnerabilities patched. While these indicators are easy to collect, they provide limited insight into whether security controls are actually effective in reducing risk. This gap between activity and outcome complicates independent testing, evaluation, and meaningful comparison across tools and programs.

This talk introduces Cybersecurity Performance Management (CPM) as a measurement framework focused on evaluating cybersecurity effectiveness using outcome-based indicators. CPM shifts attention from what security teams do to how well controls, processes, and technologies perform over time. The session explores how performance indicators can be tested, validated, and compared using real operational data rather than static checklists or vendor claims.

Drawing on experience measuring control effectiveness across diverse environments, the presentation examines practical challenges in testing security outcomes, including data quality, consistency, and bias. It also discusses how CPM-style metrics can complement independent testing methodologies by providing longitudinal insight into detection reliability, response effectiveness, and resilience under real-world conditions.

The session aims to stimulate discussion on how the security community can improve transparency, comparability, and rigor in cybersecurity testing. Attendees will leave with a practical model for evaluating security performance that supports more meaningful assessments, better tool selection, and clearer understanding of what actually works in practice.