From IT to ROI: Framing cybersecurity for the board

Framing cybersecurity as a business risk

As stated earlier, most boards of directors already view cybersecurity as a top-tier business risk. However, the question remains of how well they understand the correlation between cybersecurity and the ROI to a business. CISOS must establish a framework that maps cybersecurity risk to enterprise risks. Among those and others are:

• Financial risks may include loss of revenue due to systems or third-party vendor downtime, regulatory fines or lawsuits.
• Operational risks may include loss of data, inability to recover after a natural disaster, and even insider threats.
• Reputational risks can often be overstated, but they do exist. While reputational damage may have immediate consequences following a cybersecurity event, it can also have long-term effects. According to Aon's 2025 Cyber Risk Report, cyber events with reputation risks can lower shareholder value by an average of 27%.

 Let's walk through an example of how to reframe cybersecurity risk as enterprise risk to support business outcomes. Patch management, for example, is a foundational cybersecurity best practice. Previously, CISO presentations to the board would cite the number of unpatched devices, the number of days a system has gone unpatched, and the severity of the vulnerabilities requiring patches. While these numbers may quantify the size of the issue, it does not convey the business impacts. CISOs must learn to communicate how cybersecurity manages and mitigates business risk, or, better yet, support business outcomes.

Shifting to ROI language

Using the outcomes-based approach, the lack of patching for business-critical systems and applications increases the likelihood of system failure caused by a cybersecurity event, such as a ransomware attack. Verizon's 2024 Data Breach Investigations Report found that 14% of all breaches were due to the exploitation of vulnerabilities as the primary point of entry, which is triple the amount from the previous year.

In healthcare, that business application may be part of an imaging system. Without the imaging system, the business stands to lose revenue generated by that system. Additionally, there are potential downstream impacts, such as the need to delay or cancel a surgical procedure. This could snowball into a missed diagnosis, regulatory financial penalties, loss of insurance reimbursement, and civil and criminal lawsuits. Patients may become frustrated while waiting for a rescheduled imaging appointment and may seek alternative care. At its worst, all the snowball effects could lead to unfavorable care outcomes, including death.

In this case, the cost of mitigating the cybersecurity risk is limited to the time required for resource allocation and scheduled downtime, which is far less than the impact of an unpatched system.

Instead of attempting to develop ROI for cybersecurity capabilities, focus on the ROI of established business products. When deploying new business products and capabilities, factor in the cost of protecting those underlying systems against the revenue loss that would result from the product not being available. This builds cybersecurity into the business, rather than adding it as an afterthought. Over time, this will foster a culture of cybersecurity that enables growth and innovation rather than stifling it.

Practical strategies for CIOs/CISOs

There was a time in the not-too-distant past when it was acceptable to roll out new technology and commit to implementing cybersecurity controls as part of phase two or even later as feature enhancements.

Today's CISO needs to be able to align cybersecurity costs to business costs and, in some instances, business value. Ask yourself this: Would you continue doing business with a bank that has or makes purchases from an online retailer that frequently suffers from system outages?

Aligning the cybersecurity pillars of confidentiality, integrity, and availability with board-level KPIs demonstrates the direct correlation between the cost of mitigating, managing or transferring (e.g., through insurance) a risk and the decision to accept it.

• Confidentiality. Multiply the number of sensitive data records (such as personal health information) by the potential compliance penalties and possible lawsuits to quantify the risk.
• Integrity. Multiply the number of employees by the number of systems or applications to which they have access to quantify the opportunities for a bad actor or careless employee to disrupt business outcomes. What is the impact of having to shut down all care at a hospital because patients' health records can't be trusted?
• Availability. Multiply the average sales volume per hour by the number of hours a system is agreed to be unavailable (recovery time objective) to arrive at estimated lost sales revenue.

These are obviously simplified, but this example illustrates how cybersecurity risk can be effectively communicated in terms of business value. In a mature organization, cybersecurity risk, like other enterprise risks, may inform the business about when to enter or exit a business strategy.

It is also important to note that this information and analysis should not be presented to the board of directors only once or even once per year. Ideally, this information is available in real time through dashboards, which may serve multiple purposes. On the business side, cybersecurity capabilities are mapped to business operations and strategy. This shows how cybersecurity investments protect business value. On the other hand, unless your cybersecurity program has unlimited resources, these dashboards can help identify which capability gaps and weaknesses to address, thereby maximizing business operations and strategy. This also allows you to reprioritize in the event of an unexpected incident.

The board also concerns itself with emerging risks, including current and future threats, such as AI-driven attacks. When working with any vendor, there are supply chain risks, so having scenario planning and diversifying vendors is crucial. Cloud misconfigurations should also be addressed, and using the downtime associated with the AWS outage in October 2025 is a good reference for vendor concentration risk. Regulation compliance is another topic on the board's mind, with laws changing regularly, particularly with the advancement of AI.

The executive takeaway

The board of directors clearly understands that adding another facility comes with significant capital and operational expenses. For example, additional square footage comes with increased utility costs, property taxes, equipment and numerous other expenses. They even understand that there are costs associated with securing the property, including access-controlled doorways, CCTV cameras and possibly security guards. Why shouldn't cybersecurity costs be factored to increase as an organization grows its physical and digital footprint? Cybersecurity costs should be part of the value proposition, rather than a line item in the overall IT budget.

By integrating cybersecurity capabilities into the organization's OKRs or KPIs, there is increased visibility into the business value or ROI generated. Without effective cybersecurity controls, business services are vulnerable to failing to meet regulatory requirements, experiencing data breaches, or suffering outages. All of these may result in additional financial penalties and reputational damage, ultimately impacting the bottom line.

Finally, CIOs and CISOs who can articulate the value that cybersecurity brings to the business may find themselves steering the company on the risks and rewards of entering a particular business or offering. It is not enough to have a seat at the table to answer questions from the board of directors; effective cybersecurity leaders will have the influence and credibility to shape the company, and perhaps even an entire industry.

To summarize, here is a to-do list to consider when addressing the board with cybersecurity:

• Use business language when discussing security controls. For example, using business outcome statements such as patching these systems reduces downtime by X hours, which will protect $Y in revenue.
• Establish cybersecurity OKRs/KPIs. Tie directly in with corporate OKRs, such as protecting patient access systems, to the KPI example of the percentage of uptime for platforms to reduce high-risk vulnerabilities.
• Create a cybersecurity heat map. Use this to map any vulnerabilities within the organization and add the dollar impact or revenue exposure. This identifies the highest-priority areas based on both revenue exposure and business continuity. Don't forget to consider the potential regulatory impact on the revenue loss exposure, which includes costs such as fines, as well as recovery costs.
• Conduct regular meetings with various business units, including IT, product and legal. These meetings should include reviewing resiliency plans, updating threat models and aligning risk tolerance.
• Create a board-ready dashboard. Having metrics such as business service uptime, enterprise risks and financial exposure, compliance status, and time to detect and respond to threats helps frame cybersecurity as an ROI in all initiatives. Be sure to frame all these metrics to align with business impact.
• Quantify cyber incidents. This helps show the financial value of prevention to the board. These formulas should include the cost of downtime, lost revenue, regulatory fines and reputational recovery costs.

Learn more about cybersecurity and metrics for the board.

John Doan is the senior director of cybersecurity advisory and cybersecurity domain architect for a world-renowned healthcare organization.