Cybersecurity incidents can cause significant financial harm and serious damage to brand reputation. But traditional cyber risk management approaches — audits, assessments, threat intelligence — only offer point-in-time metrics. This paper explores Security Performance Management, which offers a continuous, outcome-driven approach to ensure security investments are efficient and effective.