The C-suite wants answers: Why should we invest more funds in security rather than R&D, sales, or other business units? Are our existing security investments actually reducing risk? How do we measure effectiveness and what metrics should we use? Why does it feel like the cyber problem never goes away, despite all the money we’re spending?
These are fair questions, and the executive leadership team has every right to put these tough questions to CISOs. At the same time, security is a business enabler and CISOs must find ways to communicate that to the board.
This article will discuss messages that security leaders can deliver to establish common ground with executive stakeholders. By positioning cyber as a business enabler and mechanism for building trust with customers, CISOs can shift the idea of “security as a cost center” into “security as investment protection for operations and the brand.”
Trust and Business Enablement
Regardless of the industry in which it operates, every enterprise values their brand, consumer confidence, and continuity of revenue-generating operations. Cybersecurity helps protect all three.
Large corporations invest heavily in building a recognizable, reputable brand. A major cyber incident, such as a ransomware attack or a data breach, can severely damage an organization’s brand.
Consumers– both individuals and enterprise customers– have become more attuned to security and data protection. If an organization experiences a significant cyber attack, consumers lose trust in that organization and may opt to do business with competitors instead.
At the core of every business is the activity that generates revenue. The exact nature of that activity varies from one industry to the next, but every organization prioritizes continuity of that activity. Any disruption to operations has a very real cost.
By effectively managing cyber risk, the CISO and their team safeguard brand, consumer trust, and revenue-generating operations. Cyber also protects the investments made in these other areas, ensuring that these funds are not undermined by a cyber attack or breach. The board should come to see cybersecurity as an enabler of these other business-critical functions.
The Defender’s Dilemma
It’s important for executives to understand a fundamental asymmetry of security: attackers only need to succeed once but defenders must be flawless.
This challenging dynamic is what’s known as the Defender’s Dilemma. Attackers enjoy virtually unlimited attempts to breach a target network. They only need to be successful one time to gain unauthorized access to a corporate network.
Defenders, on the other hand, must succeed every time. One misconfiguration, one unpatched vulnerability, one weak password left exposed can be the opening an attacker needs.
When it comes to cyber, even small mistakes can lead to major costs. The board should be made aware that security investments help avoid the errors that can potentially cause serious financial consequences for the business.
The CISO’s Remit Is Constantly Growing
Even if an organization had infinite staff and perfect processes, the responsibility of the security team would never be static. The “goal posts” in cybersecurity are constantly shifting in three important ways:
- Expanding Digital Footprints
Every day, organizations spin up new domains, cloud instances, applications, and data stores. Each addition creates more surface area to defend. The environment changes daily, sometimes hourly.
- Evolving Threat Landscape
Attackers invent new tactics constantly. A product that was considered secure yesterday may be vulnerable today because a new CVE has been disclosed. Defenders must react in real time to a flood of vulnerabilities and threat intel that sheds light on new TTPs.
- New Technologies—Double-Edged Swords
Emerging technologies like generative AI accelerate both sides of the conflict. While defenders gain powerful new tools, attackers are equally quick to exploit them. Evaluating, acquiring, and implementing defensive tools consumes time and resources—commodities always in short supply.
Taken together, these dynamics make cybersecurity a race without a finish line. Security leaders must help the C-Suite understand this constant increase in responsibility and risk. Holding the security budget constant is equivalent to reducing the budget relative to the assets that must be protected and the risk that must be managed.
The Hard Problem Of Quantifying Cyber Risk
In traditional risk modeling, the two primary dimensions are the probability of an event and the severity of impact if the event occurs. Both of these are difficult to forecast with a high degree of confidence.
For instance, what is the probability of a third-party data breach impacting your organization in the next calendar year? How severe, quantified in terms of dollars and cents, would the impact of that event be? Both questions are difficult to answer with any real certainty.
The same is true of estimating reductions in risk that resulted from a particular investment. Executives often want to know how an investment, such as the deployment of a new technology or the completion of an activity like pen testing, impacted the organization’s cyber risk posture.
While these tools and processes are certain to have an impact, quantifying that effect and reporting on it is still more art than science. Business leaders should be comfortable with best effort numbers, since there is no perfect method for quantifying risk and risk reduction.
Why Cybersecurity Will Never Be “Done”
It’s tempting to think of cybersecurity as a project: something that can be completed, checked off, and moved on from. But that mindset creates unrealistic expectations.
A better analogy is law enforcement. Crime has never been eradicated, but societies manage it through policing, prevention, and deterrence. Major busts disrupt operations, but new gangs always emerge. Cybersecurity operates on the same principle: progress is possible, perfection is not. But the truth is, cybersecurity will never be “solved” in the final sense. Instead, it must be continuously managed.
The correct framing for executives is not “When will we solve cybersecurity?” but “How effectively are we managing cyber risk and are we comfortable with the level of risk we’ve achieved?” The metric of success should be the degree to which critical, revenue-generating operations are protected from disruption. If the business continues to operate, customers are served, and brand reputation is preserved despite the threat environment, that is a victory worth celebrating.
Conclusion: Shaping the Board’s Expectations
The board’s role is to understand cybersecurity as a matter of ongoing risk management, not final resolution. Cyber teams will always face finite resources, asymmetrical battles, and shifting landscapes. What matters most is how wisely those resources are allocated, how quickly defenders can respond, and how effectively leadership supports the mission.
Cybersecurity may never be ‘done’, but it can be done well. And with the right visibility into your organization’s digital footprint, you can get ahead of threats before they materialize.
