How to speak the board's language with cybersecurity ROI so it makes sense

Cybersecurity is crucial for modern businesses. However, despite increasing cyber threats, convincing the board to invest in robust cybersecurity measures can be a challenge. 

The difficulty lies in demonstrating tangible ROI from cybersecurity investments. Boards prioritize measurable results and strategic investments, while cybersecurity aims to mitigate risks and address vague issues like "emerging threats."

Bridging this communication gap is key to helping the board understand and value cybersecurity's significance.

Decoding the Board's Language

To communicate effectively about cybersecurity investments to the board, it's essential to speak their language - finance and strategic planning. 

Boards are interested in ROI, although cybersecurity benefits are often realized through avoiding setbacks rather than profit growth. Tools like Privileged Access Management (PAM) are one of the many ways IT teams can offer measurable ROI by preventing unauthorized access and potential data breaches. 

Board members are also keen on risk mitigation and how investments can reduce cyber incidents and financial losses. They use cost-benefit analysis to balance potential benefits against costs, with cybersecurity advantages including protecting brand image and vital business data. 

The board also often prefers long-term strategic value initiatives, such as customer loyalty and uninterrupted operations. Using their language, you can underscore the importance of cybersecurity in terms they understand, facilitating approval for necessary initiatives.

Recognizing the Hidden Cost of Inadequate Cybersecurity

The Importance of a robust cybersecurity infrastructure should never be underestimated. Neglecting or underinvesting in solutions like Remote Desktop Protocol (RDP) or Active Directory security can result in costs far exceeding any initial security investments.

But oftentimes, the true costs of inadequate cybersecurity are hidden indirectly, making it more difficult to discern. 

For instance, the direct costs of a cybersecurity breach include immediate expenses such as incident response, recovery and remediation, regulatory fines, and legal costs. These encompass everything from identifying and containing the breach to potential legal action if customer data is compromised.

However, indirect costs, though less visible, can also have lasting impacts. These include reputational damage, loss of customer trust, and operational disruption. A breach can harm an organization's image, affect business relationships, and disrupt regular operations, leading to productivity losses and increased operational costs.

How to Calculate ROI on Cybersecurity

Whenever you're considering a security upgrade, there's inevitably a financial outlay involved. This is when understanding the balance between the potential risk cost and the cost of implementing a safeguard becomes invaluable. The Center for Internet Security (CIS) has provided a helpful method for organizations to help evaluate their ROI when considering both of these factors:


To begin, you'll need to understand four main components:

  • Annual frequency of security risk event

  • Expected financial loss of a single risk event

  • Projected risk percentage reduction from implementing a specific security control

  • Total cost of the security control being evaluated




The diagram above provides an example of a company that anticipates being a target of phishing five times annually, with each successful breach costing approximately $35,000. The projected expense for educating staff on recognizing and sidestepping phishing emails is estimated at $25,000. By understanding the impact that this projected expense has (roughly an 85% reduction in risk), a tangible ROI can be calculated.

In this case, investing $25,000 in employee training could potentially save the organization close to $125,000 annually. However, it's important to remember that this is just a single instance of calculating ROI. Each organization should consider its unique risk factors when deciding how to distribute their security funds.

However, by following these simple steps, organizations can paint a clearer picture of the potential cost savings associated with investing in security, and equip their boards to make better-informed decisions.

Know How to Convince Your Board

Understanding how to communicate with your board regarding cybersecurity investments is crucial. By employing terminology that appeals to board members and succinctly yet powerfully demonstrating your ROI analysis, you can guarantee that your cybersecurity initiatives receive the recognition they warrant.

Joseph Carson is a cybersecurity professional with more than 25 years of experience in enterprise security and infrastructure. Currently, Carson is the Chief Security Scientist & Advisory CISO at Delinea. He is an active member of the cybersecurity community and a Certified Information Systems Security Professional (CISSP). Carson is also a cybersecurity adviser to several governments, critical infrastructure organizations, and financial and transportation industries, and speaks at conferences globally.