A few years ago I spoke to the value of zero and how it applied to metrics and measurement and how to discuss value. Cybersecurity is a particular nut to crack, as it’s based on avoiding or minimizing the occurrence of a negative outcome, which runs antithetical to general business metrics of “more is better”. Add to the fray that security metrics, short of compliance measures, are far from standardized or universal across sectors and organizations. In this talk we’ll look at how to leverage minimization as a “return on investment” for organizations without using “risk avoidance” as a weasel word. With the advent of DevSecOps, how can you also still ensure that transitioning to a combined responsibility model will help make this easier.