Information Security leaders face a problem: to prove the value equation of their security investments. Security efficacy is often brought up as a key challenge – not just how to leverage technology, but how to measure what results it delivers. Enumerating how many detections were surfaced by a malware defense platform or if a perimeter firewall dropped unwanted traffic are very tactical and don’t communicate to the board how risk is being managed and the ROI of resources, processes and technology working together. Metrics development has been a persistent challenge to information security due to inconsistent KPIs stemming from technological differences. What is the path forward? Using the MITRE ATT&CK Matrix as a normalization factor provides the capability to standardize results, measure success in day to day operations, and prove value for security programs.