ODMs and PLAs: The Future of Metrics in Cybersecurity
After following Paul Proctor’s work at Gartner for many years — especially his push for meaningful cybersecurity metrics — I’ve seen his thinking evolve from fragmented activity reporting toward a more actionable, aligned, and strategic approach: Outcome-Driven Metrics (ODMs) and Protection Level Agreements (PLAs).
This evolution strongly echoes the message I shared in From Definition to Action: Measuring and Managing Cyber Risk. In that piece, I explored a foundational truth in cybersecurity:
“What is not defined cannot be measured. What is not measured cannot be improved. What is not improved is always degraded.”
And in cybersecurity, what is degraded doesn’t just weaken performance — it directly lowers our level of protection and our ability to defend our decisions. It reduces resilience. It erodes trust. And it makes it harder to justify our choices when something inevitably goes wrong.
That’s why the real question behind cybersecurity metrics is not what are we measuring? — it’s why are we measuring in the first place?
And when you strip it down, the only two questions that truly matter at the leadership level are:
What is the right amount of cybersecurity for us?
How much should we spend to achieve it?
Everything else — tool dashboards, heatmaps, compliance scores, maturity levels — should serve to answer these two questions. Unfortunately, most traditional metrics don’t. They measure effort, not effectiveness. They create reports, not clarity. They monitor activity, but not actual protection.
This is where ODMs and PLAs step in. They represent a shift from reactive, technical reporting to strategic performance governance. ODMs define protection levels in measurable terms. PLAs translate those definitions into intentional risk decisions — decisions that can be tracked, justified, and revisited over time.
In From Definition to Action, I argued that cyber risk is dynamic, shared, and continuous — and that measurement must reflect that. ODMs do just that. They allow us to know where we are, what we’re achieving for our current investment, and where we might need to shift resources to improve protection. They make cybersecurity both transparent and actionable.
PLAs, in turn, allow us to turn those insights into risk-aligned commitments. They embody what I’ve called self-correcting governance — a way for organizations to continuously align protection levels with risk appetite and cost, and adjust course as business context evolves.
In this article, I want to go a step further and ground these concepts in an analogy that most of us can relate to — buying a car. Because in the end, cybersecurity isn’t that different. It’s about trade-offs, protection levels, costs, and decisions made by people with different perspectives — but shared accountability.
Why Traditional Cybersecurity Metrics Fall Short
The truth is, most of the cybersecurity metrics we’ve relied on for years simply don’t work. Numbers like:
How many phishing emails we blocked
How many times we were attacked last month
How many vulnerabilities were detected
These may look impressive on reports, but they don’t reflect protection. Worse, we don’t control them — and we can’t make a direct investment to improve them. They don’t tell us whether we’re safer today than we were yesterday, or if our investments are making a meaningful difference.
They’re noise — and more importantly, they’re static snapshots in a world where risk is constantly moving.
As someone who has long advocated for redefining how we measure cyber risk, I’ve repeatedly emphasized that cyber risk is continuous, dynamic, and shared. It doesn’t pause between quarterly reports or wait for annual audits. Threats evolve, environments change, and our exposure fluctuates by the hour. Our measurement approach must reflect that reality.
That’s why traditional metrics fail us — not just because they’re reactive, but because they’re disconnected from the real-time nature of cyber risk. They don’t allow us to see change, adapt quickly, or make decisions with confidence.
What executives and boards really want to know isn’t how many things we blocked or scanned — it’s:
Are we protected?
Are we spending the right amount to stay that way?
That’s where Outcome-Driven Metrics (ODMs) come in. They shift the focus from what happened to what level of protection we have, and whether that protection is improving, degrading, or holding steady. And because ODMs are inherently tied to operational outcomes, they give us a way to track progress continuously — not periodically — while aligning with both technical realities and business expectations.
What Makes ODMs Different
At first glance, Outcome-Driven Metrics (ODMs) may look like just another set of operational metrics. But they do something far more powerful: they measure protection, not just activity.
Traditional metrics often tell us what happened — how many events were logged, how many alerts were triggered, or how many vulnerabilities were found. These are data points. ODMs, by contrast, tell us what was achieved. They reflect the organization’s actual defensive posture and its ability to respond to threats in a timely, consistent way.
For example:
“Average patch time for critical systems” isn’t just about tracking how fast we’re patching. It’s about reducing the window of exposure to known exploits.
“Mean time to isolate infected endpoints” doesn’t just measure incident response speed — it directly correlates to how much damage is prevented in a breach scenario.
These aren’t just operational stats — they’re risk indicators tied to business value.
And here’s the key insight: when an ODM improves, the organization is measurably better protected. When it declines, you are measurably more exposed. The relationship between the metric and the level of protection is direct, observable, and actionable.
This also makes ODMs incredibly powerful as value levers. They allow leadership to make informed, accountable trade-offs:
Do we want 7-day patching instead of 30-day patching?
What will that cost?
What improvement in protection does that investment actually buy us?
And importantly, they operate in real time, not just on spreadsheets. They allow for continuous assessment and adjustment. If risk posture degrades, we can respond quickly. If we exceed expectations, we can optimize investment. ODMs are the foundation for a dynamic, adaptive cybersecurity program.
This direct link between outcome and investment — between effort and protection — is what makes ODMs so transformative. They don’t just help us report the state of cybersecurity. They help us improve it.
The Power of PLAs: The Question That Changes Everything
One of the most powerful catalysts for transforming cybersecurity leadership is a deceptively simple but revolutionary question introduced by Paul Proctor:
“How many days would you like our systems available for hacking?”
This question changes everything. It reframes cybersecurity from a reactive, technical function to a strategic business decision. Instead of requesting more budget or explaining threat intelligence in technical terms, cybersecurity leaders now have a way to directly engage the executive team in outcome-based decision-making.
It’s a direct response to the two questions that matter most: What is the right amount of cybersecurity for us? and How much are we willing to spend to achieve it?
When this question is posed to executives — particularly CEOs — the instinctive answer is usually “zero days.” That is, no exposure whatsoever. But zero-day patching is not feasible in most of the cases, even with unlimited resources. Vulnerabilities must be discovered, patches must be tested and deployed safely, and business operations must be maintained. Risk cannot be eliminated — it must be managed. Once executives recognize this reality, the conversation shifts from ideals to trade-offs.
This is where Protection Level Agreements (PLAs) enter the picture. For example, a 7-day patching cycle might cost $5 million per year, while a 30-day patching cycle might cost $1 million. These options frame a practical risk-reward decision: what level of protection is acceptable, and how much are we willing to invest to stay within that boundary? When leadership selects one of these options, that becomes a PLA — a measurable, enforceable commitment between the business and the cybersecurity function.
A PLA might be as simple as: “We commit to 30-day patching across critical systems for $1M/year.” That agreement becomes the basis for accountability. If the organization is breached after 35 days, it reflects a failure to deliver the promised protection level. If the breach happens after 25 days, it’s the result of an accepted business decision. The risk was known and consciously taken.
The beauty of PLAs lies in their clarity. No one dictates how the $1 million should be spent — on people, automation, third-party services, or new technology. The only focus is on achieving the agreed protection outcome. This gives security teams the autonomy to act effectively, while giving leadership confidence that business risk is being managed intentionally.
PLAs operationalize cybersecurity strategy. They turn abstract goals into performance commitments and convert vague fears into tangible decisions. They create transparency and defensibility. When an incident occurs, boards and stakeholders are no longer left asking, “Did we do enough?” Instead, they can ask, “Did we meet the protection level we agreed to?” That’s a fundamental shift in how cybersecurity is governed.
Moreover, PLAs support self-correcting governance. If a breach happens within the agreed protection window but is still too damaging for the business to accept, leadership can revisit and raise the standard — from 30-day patching to 15, for example. The model becomes adaptive and resilient, not static and reactive.
But to negotiate PLAs meaningfully, organizations must understand the real cost of cybersecurity — not just what’s in the security budget, but the all-in cost of delivering a protection outcome. That includes IT and security CapEx and OpEx, but also less visible costs like business friction: productivity loss due to MFA, downtime from patching, or delays caused by compliance controls. These costs often exceed the price of the tools themselves. For example, Gartner has noted that the annual productivity impact of MFA in a large enterprise can exceed the licensing cost many times over.
This full-spectrum view allows organizations to make smarter trade-offs. It clarifies where spending more might actually cost less — because the outcome is achieved with lower friction or fewer downstream consequences. And it provides the foundation for executive conversations that are grounded, measurable, and business-aligned.
Ultimately, the question “How many days would you like our systems available for hacking?” is not just provocative — it’s transformative. It breaks through noise, replaces fear with clarity, and creates a language for cybersecurity that everyone in the C-suite can speak. It turns risk tolerance into action, cost into value, and cybersecurity into a function of measurable performance.
With ODMs as the instrumentation and PLAs as the contract, cybersecurity becomes what it should have been all along: an intentional, continuous, and accountable part of business leadership.
A Simple Analogy: Car Safety and Cybersecurity
If you’re trying to understand Outcome-Driven Metrics (ODMs) and Protection Level Agreements (PLAs) in practical terms, think about how we evaluate car safety.
When you buy a car, you don’t ask, “How many times did someone try to crash into this model last year?” — that’s like measuring how many cyberattacks your firewall blocked. It’s noise, not insight. You also don’t ask, “How many parts are in the braking system?” — that’s like listing out your cybersecurity tools. Interesting, maybe, but not helpful when making a strategic decision.
Instead, we ask:
“What’s the crash test rating?”
“Does it have automatic emergency braking or lane assist?”
Why? Because we want to know: If something goes wrong, how well will this car protect me?
That’s exactly what ODMs give us in cybersecurity: a real answer to the question, “How protected are we, really?” They measure the outcomes of controls, not just the presence of them. And they help us determine how fast we detect, isolate, patch, or recover when something fails.
Now imagine the manufacturer tells you the car will protect you in a frontal collision up to 30 mph. That’s a Protection Level Agreement (PLA) — a measurable commitment to a specific level of risk protection. You know exactly what you’re getting. If you want protection up to 60 mph, that’s a different price tag. The decision is yours. That’s cybersecurity in a nutshell. It’s not about preventing every possible threat. It’s about making intentional, informed trade-offs based on your needs, your resources, and your risk tolerance. No one expects to get into a car accident. But we still wear seatbelts. We still choose vehicles with solid crash ratings. We still buy insurance. And over time, as our needs change — maybe we have kids, move to a snowy climate, or start commuting longer distances — we revisit those decisions. We upgrade the car. We adjust the insurance. We adapt. Cybersecurity should work the same way.
ODMs and PLAs help us think clearly about:
What level of protection we want,
How much we’re willing to invest to get it,
And how those decisions need to evolve over time.
Just like a vehicle, a cybersecurity program isn’t a “set it and forget it” asset. It needs tuning. It needs reassessment. It needs to reflect the journey we’re on — as a business, as a team, and as a set of risk owners. And just like with car safety, we don’t measure value by how many accidents we avoided — we measure it by how well we’re protected when something actually happens.
And here’s where the analogy gets even better. Buying a car isn’t just an individual decision — it’s often a family decision. You bring different perspectives to the table:
One person is focused on budget (your CFO),
Another cares about features and performance (your CIO),
Someone is thinking about safety for the kids (your CISO),
And someone needs to make the final call, balancing it all (your CEO).
Cybersecurity is no different. Cyber risk is a business risk. Deciding how much protection we need, how much we’re willing to spend, and what level of exposure we’re willing to accept should be a shared, leadership-level decision. The challenge? Everyone often speaks a different language:
The CFO speaks in ROI and financial planning.
The CIO speaks in infrastructure and operations.
The CISO speaks in threats and controls.
The CEO speaks in strategic outcomes and accountability.
ODMs and PLAs bridge that gap. They turn cybersecurity from a siloed, technical problem into a business conversation — with a common vocabulary, a shared understanding of risk, and clear trade-offs. ODMs translate technical complexity into measurable outcomes:
“We patch critical systems within 15 days.”
That’s tangible. That’s benchmarkable. That’s something everyone can understand. PLAs take those outcomes and turn them into business agreements:
“Are we okay with 30-day patching at $1M/year, or do we want 7-day patching at $3M/year?”
That’s a trade-off everyone at the table can understand and weigh in on. And just like in a family car purchase, the goal isn’t to win the argument — it’s to agree on the right balance of cost, safety, and performance for this moment in time. And just like vehicles, cybersecurity needs change over time. That’s why ODMs and PLAs aren’t just metrics or contracts — they’re living tools for continuous alignment between protection, investment, and business risk. They make cybersecurity real. They make risk visible. And they enable the kind of mature, informed, cross-functional conversation that the cybersecurity field has been missing for far too long.
Understanding the Real Cost of Cybersecurity
One of the most overlooked — and most valuable — benefits of Outcome-Driven Metrics (ODMs) is their ability to expose the real cost of cybersecurity. Traditionally, when organizations talk about cybersecurity spending, they refer to the security budget: the cost of tools, licenses, headcount, and third-party services. But that’s only a fraction of the picture. The real cost includes everything required to deliver protection — across security, IT, and the business itself. ODMs force us to see what’s usually hidden. They reveal three critical dimensions of cost:
Business friction: This includes measurable losses in productivity due to cybersecurity requirements. For example, users losing time to multi-factor authentication (MFA), mandatory training, or delays from access reviews and patching windows. Even simple security steps can have major downstream effects when applied across thousands of employees and workflows.
IT friction: These are the impacts cybersecurity controls have on infrastructure, delivery pipelines, and operations. Think of delayed deployments, slower provisioning, or strained resources caused by security review bottlenecks. Friction here adds not just cost, but complexity — and sometimes even risk when teams attempt workarounds.
Opportunity cost: This is what the business didn’t achieve because security introduced blockers, delays, or uncertainty. Think of innovation pipelines that stall, product features that get postponed, or customer experience that degrades because the path to release or adoption is unclear.
Proctor has illustrated this with the MFA case. While the tool itself might only cost a few dollars per user, the real cost — in terms of time lost per authentication event across tens of thousands of employees — can translate to hundreds of full-time equivalent (FTE) years per year. In large enterprises, that becomes a massive hidden expense, often far exceeding the software’s licensing cost. This is where ODMs become essential. Because they tie protection outcomes directly to investment, they give us the ability to evaluate not just whether we’re spending enough, but whether we’re spending wisely.
For example:
If two patching solutions offer the same 15-day SLA, but one requires 20% less downtime, the one with higher licensing cost may actually be cheaper overall when you factor in lost revenue and staff disruption.
If a segmentation strategy reduces incident response time by 30%, the time and labor saved in detection and recovery could more than justify an upfront investment in microsegmentation or automation tools.
ODMs allow you to model those trade-offs clearly. They shift the question from “How much does this tool cost?” to “What does this tool help us achieve, and at what total cost to the business?”
By exposing the full spectrum of cost — security, IT, business friction, and lost opportunity — ODMs empower organizations to make smarter, more defensible investment decisions. They help justify spend where it’s needed and redirect spend where it’s not. And they align cybersecurity priorities with business outcomes, which is the ultimate goal of a mature, risk-based program.
A Foundation for Due Care and Defensibility
Today, even the most well-prepared organizations can experience a breach. Sophisticated adversaries, evolving tactics, zero-day vulnerabilities — sometimes, things go wrong despite our best efforts. That’s why it’s no longer enough to say “we tried our best.” We need to be able to demonstrate due care.
This is where Outcome-Driven Metrics (ODMs) and Protection Level Agreements (PLAs) change the game.
They provide a concrete way to operationalize cybersecurity intent — turning strategy into measurable outcomes, and outcomes into accountable decisions. ODMs define how protection is measured. PLAs establish how much protection is enough — and at what cost. Together, they become the evidence of responsible governance.
Let’s say your PLA is “patch all critical systems within 30 days.” If an incident occurs within that window — say, a breach happens on day 25 — it’s not a failure of execution. It’s an accepted risk, backed by an agreed-upon business decision. That risk was understood, owned, and balanced against available resources and impact.
But if the same breach occurs outside that protection window — say, on day 35 — then it becomes a failure to deliver on the agreed protection level. Now there’s clarity: the incident reveals not just what failed, but how it failed, and whether the issue was execution, governance, or resourcing.
This model creates more than accountability — it creates a culture of self-correcting governance. One where protection levels are not static but continuously reassessed. One where every incident, even if painful, becomes a chance to re-evaluate: Was this risk acceptable? Should we invest more? Do we need a different approach?
And here’s the deeper shift: this makes cybersecurity a shared responsibility.
Until now, most of the burden has fallen on CISOs and their teams. But when you start having PLA conversations, everyone has a role:
The CFO must help weigh cost against value.
The CEO must assess how much risk the business is willing to carry.
The CIO must ensure operational feasibility and support implementation.
And the CISO must turn risk into measurable protection — and be transparent about what’s achievable.
With ODMs and PLAs, cybersecurity is no longer a backroom technical discussion. It becomes a boardroom decision, grounded in business language, clear expectations, and aligned trade-offs.
This level of clarity is not just helpful — it’s defensible.
Whether you’re dealing with customers, regulators, shareholders, or internal stakeholders, ODMs and PLAs give you a framework to show:
That the organization defined and agreed upon its level of cyber protection,
That those decisions were based on measurable metrics and transparent trade-offs,
And that those decisions are continuously revisited as the environment changes.
This is what modern due care looks like. Not perfection, but visibility. Not just intent, but execution. And not isolated responsibility — but collective accountability across the entire leadership team.
In a world where breaches are inevitable, how we measure, manage, and communicate risk is everything. ODMs and PLAs help us do that — not just as security leaders, but as business leaders working together to protect what matters most.
The Cybersecurity Compass: Navigating with ODMs and PLA
The Cybersecurity Compass is a strategic framework that helps us visualize cybersecurity not as a siloed function, but as an interconnected system of directional forces working across the entire cyber risk lifecycle: before, during, and after a breach.
At its core, the Compass shows that effective cybersecurity requires alignment across three major domains:
Cyber Risk Management (before a breach): where risk decisions are made and protection is planned.
Detection and Response (during a breach): where threats are identified and mitigated in real time.
Cyber Resilience (after a breach): where the organization recovers, learns, and improves.
These domains are navigated through a central tension between reactive and defensive behaviors and proactive and predictive capabilities. And just like a real compass, the goal isn’t to spin — it’s to stay oriented toward a meaningful outcome.
This is where Outcome-Driven Metrics (ODMs) and Protection Level Agreements (PLAs) become essential instruments. They provide the measurement and commitment mechanisms needed to keep each function aligned and accountable.
In Cyber Risk Management, ODMs help answer: “How protected are we today?” They quantify exposure, patching speed, detection coverage, and other factors in ways that inform risk-based decisions. PLAs turn those insights into formal commitments: “We accept X risk for Y cost.”
In Detection and Response, ODMs measure how quickly incidents are detected, contained, and resolved — enabling continuous improvement. PLAs set expectations for acceptable response windows, such as time to isolate an infected asset or restore critical systems.
In Cyber Resilience, ODMs track progress post-incident — time to full recovery, return to operational baselines, and control restoration. PLAs help define what recovery looks like: “We will fully restore within 72 hours after a ransomware event.”
Across all domains, ODMs bring transparency, and PLAs bring intentionality. Together, they anchor cybersecurity to measurable outcomes, shared accountability, and informed trade-offs.
Perhaps most importantly, ODMs and PLAs turn the Compass into a navigation tool, not just a model. They allow leaders to answer critical questions:
Are we protected at the level we agreed to?
Are we spending the right amount to maintain that protection?
Are we aligned on what’s acceptable — and prepared to adapt when it’s not?
In this way, ODMs and PLAs give the Compass movement and meaning. They allow us not just to plot a course — but to stay on course, even as the environment shifts around us.
Cybersecurity isn’t just about controls or tools. It’s about direction.
And in a dynamic, high-stakes landscape, ODMs and PLAs are the compass and calibration every organization needs to stay resilient, accountable, and aligned.
What Comes Next?
ODMs are already reshaping how we approach cyber risk reporting, M&A due diligence, cyber insurance, and CIO-CISO collaboration. But their true power lies in something far more transformative: they’re giving us the ability to define, measure, and justify cybersecurity outcomes in a way that is consistent, accountable, and business-aligned. For the first time, we have a practical way to answer the two questions that matter most: What level of protection are we actually getting? and What’s the real cost of achieving it?
With ODMs and PLAs, we move from activity to achievement, from noise to clarity, from effort to value. They help CISOs communicate with CFOs. They help boards understand risk without drowning in technical jargon. They empower leadership to make decisions based on protection, not fear — and to course-correct when risk tolerance and business priorities evolve.
This is more than a metric shift. It’s a mindset shift. And for that, we owe a sincere thanks to Paul Proctor, whose work at Gartner laid the foundation for this transformation. His introduction of Outcome-Driven Metrics and Protection Level Agreements gave the cybersecurity community a new language — one that connects security outcomes to business decisions, investment strategy, and governance maturity. It’s a contribution that will continue to shape the future of cybersecurity for years to come.
ODMs and PLAs aren’t a passing trend. They are the future of outcome-based cybersecurity. They bring structure to uncertainty, accountability to protection, and shared responsibility to cyber risk. If your program still measures what happened instead of what was achieved, now is the time to rethink your approach — because what your board, your regulators, and your business partners ultimately want to know is simple:
Are we protected — and can we prove it?
With ODMs and PLAs, the answer is no longer a matter of opinion. It’s a matter of evidence. And that changes everything.
Castro, J. (2024). Safely Sailing the Digital Ocean with the Cybersecurity Compass. ResearchGate. https://www.researchgate.net/publication/387410177 DOI:10.13140/RG.2.2.20696.00003
Castro, J. (2024). Strategic Cyber Defense: Applying Sun Tzu’s Art of War Lessons to the Cybersecurity Compass. ResearchGate. https://www.researchgate.net/publication/387410535 DOI:10.13140/RG.2.2.25085.68327
Castro, J. (2024). A Common Language for Cybersecurity. ResearchGate. https://www.researchgate.net/publication/387505866 DOI:10.13140/RG.2.2.31894.05448
Castro, J. (2024). Cybersecurity Compass — Bridging the Communication Gap. ResearchGate. https://www.researchgate.net/publication/387789339 DOI:10.13140/RG.2.2.36333.29926
Castro, J. (2025). The Illusion of “Continuous” in Cybersecurity: The Biggest Vulnerability in Frameworks and Regulations. ResearchGate. https://www.researchgate.net/publication/388682749 DOI:10.13140/RG.2.2.10471.15520/1