OWASP Standard Classification: Automate Security, Don't Tell Your Boss - M. Tesauro

Prerequisite to the ideas: corporate SDLC, EA.

The number of assessments doesn't seem a particular interesting metric. Once it's automated you can run it arbitrarily many times, i.e. 1000 runs over night. Instead you may want to talk about number of issues found, mttr, did quality of the audit change in exposure etc. Then you set that metric against a relative headcount which is also vague (5.5 out of 100 is not a lot, 5.5 out of 10 is). I like the talk but it's too fluffy and hand-waving.