From IT to ROI: Framing cybersecurity for the board
Summary
The article argues that cybersecurity must be reframed from an IT cost centre to an enterprise-level investment tied to business outcomes and ROI. High-profile breaches in 2025, such as the Salesforce incident and other attacks on major vendors, have pushed boards to demand clearer business-aligned metrics from CISOs. The author walks through practical ways to map confidentiality, integrity and availability to financial, operational and reputational impacts, and recommends dashboards, heat maps and business-language metrics to make security intelligible and actionable for board members.
Key Points
- Major 2025 breaches (Salesforce, Google, TransUnion, Workday) and rising breach costs (IBM: US average $10.22M) have elevated cybersecurity to board-level concern.
- Boards expect CISOs to speak the language of business — align security metrics with OKRs/KPIs rather than technical detail alone.
- Reframe patching and other controls as risk reduction for business-critical services and show the revenue/profit impact of downtime or data loss.
- Use the CIA triad (confidentiality, integrity, availability) to quantify exposure: multiply records by fines, users by systems, sales/hour by downtime hours.
- Create real-time, board-ready dashboards and heat maps to prioritise spend, show financial exposure and reprioritise during incidents.
- Include emerging threats (AI-driven attacks), supply chain and vendor concentration risks (eg. AWS outage) in board briefings and scenario planning.
- Recommended to-do list for boards: use business language, establish cybersecurity OKRs/KPIs, maintain heat maps, meet cross-functionally and quantify incident costs.
Content Summary
The piece opens with 2025 breach examples to illustrate why directors are focused on cyber risk. It traces the cultural shift from optional security practices in the 1990s to today, where boards recruit CISOs and expect tie-ins to enterprise strategy. The author explains how to convert security activities into business risk language using concrete examples (eg. imaging systems in healthcare) and simple formulas that estimate revenue loss, fines and reputational damage. He stresses embedding security into product launches and OKRs rather than treating it as an afterthought, and recommends dashboards and cross-functional reviews to keep the board informed and to guide prioritisation.
Context and relevance
This article matters because boards are now financially accountable for cyber outcomes and expect measurable returns or protection from security investments. The guidance aligns with industry trends: escalating breach costs, regulatory change, vendor concentration risk and the rise of AI-enabled threats. For CISOs and CIOs, adopting the recommended approach helps secure budget, influence strategy and reduce the chance that a security gap becomes an existential business event.
Why should I read this?
Short version: if you ever have to explain security to a non-technical boss or a boardroom that cares about profit, this is your cheat sheet. It turns patch lists into pounds-and-pence impact, gives ready-made metrics and a clear to-do list to make security sound like investment, not an expense. Read it to stop talking tech and start talking value.
Author style
Punchy — the author uses real-world breaches and plain examples to force the point: security must be measured and presented as business value. If you want to influence strategy and budgets, this article amplifies why that shift is urgent.