Menu Close

A Seat At The Table: How CISOs Can Communicate Cybersecurity Investments In Financial Terms To The Board

Gidi Cohen is the founder of Skybox Security, where he helps customers secure their attack surface and stay ahead of emerging threats.

Digital transformation done well delivers business growth and enterprise-wide competitive advantages. Yet, inadvertently, digital transformation introduces new vulnerabilities. In fact, according to a 2022 study from my company, 27% of executives say new technologies are their largest cybersecurity worry.

While business growth is always a top priority, accelerated digital transformation means cybersecurity leaders are under pressure to accommodate countless forms of digital transformation—including new public cloud services and operational technology (OT).

Benchmarking Study Reveals Executives Are Unprepared For New Era Of Risk

Our study showed cybersecurity is now at a critical inflection point.

• Global business leaders agreed we have entered a new era of cyber risk. In 2021, the number of material breaches jumped 24.5%.

• However, “27% of executives believed their organizations were not well prepared for today’s rapidly changing threat landscape.”

MORE FOR YOU

• And 41% of executives noted that “cyber risk initiatives have not kept pace with digital transformation,” with 39% of CEOs saying they have “inadequate budgets to ensure cybersecurity.”

As a result, the urgency for chief information security officers (CISOs) to position cybersecurity as a corporate-level topic has never been more critical. With cybersecurity now at center stage for most board conversations, the role of the CISO is evolving. The modern CISO now has a more significant executive influence as they take on a broader area of responsibility that spans functions across the enterprise. Because of the continued focus on cybersecurity, a recent report found that 90% of CISOs present directly to their company’s board.

This evolution has left CISOs needing to prove the return on investment and the true value of cybersecurity budgets. When speaking to non-technical executives, it’s essential to create an entirely new lens of cybersecurity outcomes in a business context.

Cybersecurity readiness is a choice, and CISOs can use outcome-driven cybersecurity metrics and cyber risk scores to paint a clear picture of prevention investments.

Is Our Cybersecurity Strategy Enough?

As organizations digitally transform, cybersecurity is now a strategic business imperative that requires buy-in from the entire executive leadership to work together to mitigate risks. As a result, executives are looking to security leaders to determine the ideal cybersecurity investment and protection strategy. In other words, how much cybersecurity is enough?

Because of this shift, CISOs must first prioritize building an executive narrative and business case to transform how cybersecurity is treated in their organization. By aligning with desired business outcomes and strategic priorities, CISOs can take a critical first step in effectively communicating the business context around cybersecurity.

Communicating A Risk-Based Approach To The Board

With the increased visibility, CISOs speak in clear business terms when addressing tough questions and clarifying misconceptions. For proactive and effective conversations with the executive board, CISOs can frame cybersecurity investments in a business context:

• Define cybersecurity outcomes and metrics. CISOs must share what is most meaningful to executives by focusing on outcome-driven metrics that reflect how well an organization is protected based on strategic investments in people, processes and tools. Traditionally, the metrics tracked by CISOs are often more IT-focused, making them less intriguing to a board. To rationalize their cybersecurity investments, CISOs can report metrics that focus on security control effectiveness, threats, exposure and asset importance.

• Communicate risk in monetary values. Protecting the ability to generate revenue, protect corporate assets and ensure safety and compliance is fundamental to the CISO’s role. In the past, many boards have perceived cybersecurity as a cost center. To shift that conversation, CISOs can use risk modeling to show how exposures could impact the business. Leveraging real-world numbers, such as the potential costs of a ransomware attack, illustrates the business impact of cyber risk in financial terms. Cyber risk quantification translates exposure analysis metrics into dollar values to resonate in business conversations.

• Quantify and articulate the value of preventative cybersecurity. Breaking internal information silos and advanced analytics enable organizations to target remediation and mitigation efforts on the cyber risks with the highest likelihood to impact their unique business. As organizations mature to proactive, risk-based cybersecurity strategies, articulating cybersecurity risk in financial terms provides a common language that lets organizations stay aligned on priorities and outcomes.

Cybersecurity success requires more than technical knowledge: You must use the art of persuasion to build influence with the board. With a solid understanding between the CISO and the rest of the executive team, organizations can quantify the threats that matter, distinguish fact from fiction and seize this opportunity to reinvent cybersecurity in a way that delivers measurable business value.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?