In the modern workplace, cybersecurity teams operate in matrixed organizations. Security teams drive and track progress without direct authority over developers, system administrators, and other employees responsible for implementing security policies. Many people focus narrowly on the measurements themselves without considering the impact they have on those being measured. This leads to ineffective systems that make employees feel scrutinized and punished. This paper discusses techniques for designing metrics that not only measure security in a meaningful way but also address the human element. It takes you on a journey through our security program, tells you what we learned from the mistakes we made along the way, and leaves you positioned for success.