the ability to
model, measure, deliver
"One cannot manage what they cannot measure."
The truism above is at the heart of the challenge. How do we measure security and what do we measure it for. Measuring security requires two elements:
What is being measured - the object of measurement
What is the object being measured for - traditionally known as "metric."