MDR · 3 MIN READ · JAMES SHANK · FEB 20, 2026
TL;DR
- Success for cybersecurity needs to align to business success; and the language of cybersecurity needs to be the business language.
- Expel’s 2026 Annual Threat Report goes live next week (you can sign up for first access now) and offers valuable metrics that can inform business justifications and risk calculations.
- The report tells us identity remains the attack surface with the highest incident volume–and how translating that risk to quantitative measures makes a difference.
In the world of cybersecurity, there’s often a gap between how security teams and business leaders define success. Business leaders naturally focus on reducing overall risk and maximizing opportunity, while security professionals sometimes emphasize how many attacks they block at the perimeter. The business side is thinking about the big picture, and the security folks are still too caught in the weeds. It’s time to align these perspectives.
Consider the rise of identity-based attacks and defenses. Yes, identity is once again the king of attacked surfaces. In fact, our upcoming 2026 Annual Threat Report (ATR) shows that 68.6% of all the incidents Expel saw in 2025 involved identity as the main attack surface.
In recent years, our industry has seen wider adoption of technologies and controls like single sign-on (SSO), multifactor authentication (MFA), and passkeys. These security controls mean that even if a password is stolen, an attacker often can’t gain access. Alongside better behavior analysis and logging, we’re catching these threats earlier and reducing the damage they can cause. These solutions are deployed and continue to gain traction, making identity-based attacks harder with each roll out of newer generations of effective controls.
How do we count this success then? SOC teams are inclined to treat a password exposure as an incident—rightly so, and Expel does, too. It reduces the account security and demands a password reset. If access is blocked, though, this is a security control win. The business impact is wholly mitigated at the identity layer, which is the new perimeter (and this is roughly the same as a firewall block rule stopping access in the pre-”Zero Trust” era).
Before you conclude that we should parade around chanting “MFA saved us!” or “Look at how well our geofencing is working!” as a win, let’s pull this back in. Cybersecurity, understood correctly, is driving towards delivering a business objective. In all but a rare set of cases, that objective is risk mitigation and risk remediation. This means that the business sees this roughly as “no harm, no foul.”
The point is that success in cybersecurity isn’t just about counting attacks. It’s about measuring how effectively we reduce risk. By focusing on metrics that reflect how quickly we respond and how much we minimize impact, we get closer to a shared language of success that both security teams and business leaders can embrace. Don’t stop where most security professionals stop—throwing around the word “risk” in a colloquial way—present it in terms of dollars. Up your game and step into the realm of a business conversation, because business has only one language: money.
A few years back, I had a conversation with an investor friend. He commented that many boards will smirk and shake their heads when the CISO walks out of the room after a board presentation. I don’t (yet) have a seat at those tables, but I can see why this would happen. When we show up to a table of qualified and competent business leaders—yet we don’t speak their language—we miss the mark.
We all know our goal is to make our organizations safer. Learning to speak in terms of money positions us to be better at defending our requests for resources and presenting our successes at enabling business objectives. It helps us establish our ability to speak in a way that every business leader understands. When we measure success by how well we reduce risk (dollars saved), we align our efforts with the broader mission of protecting the business as a whole.
Translating our security wins and requests into dollars saved is hard to do. We often lack the fundamental building blocks to calculate risk (dollars) aligned to our business objectives and goals. Expel has put together our 2026 Annual Threat Report detailing the incidents we see and the categories of different surfaces and attack types. These don’t get you directly to dollars saved, but you can use it as an authoritative reference for computing likelihoods using real-world attack data.
We hope you find the report helpful in elevating your security posture and defending your requests–and stay tuned for its official release next week!
