All articles
Strategy · 3 Jul 2025 · 2 min read

The economics of cybersecurity: speaking CFO language

Security often gets pigeonholed as a cost centre, but reframing it as a strategic investment unlocks boardroom support and budget clarity. For Australian organisations, translating technical controls into financial terms is essential to securing funding and demonstrating value, and it is exactly how we frame the roadmaps we build.

Reframe risk in dollars

Start by estimating the cost of a potential incident, both direct and indirect: regulatory fines under the Notifiable Data Breaches scheme, remediation, legal fees, and the reputational damage that dents customer trust. If a platform averages a million dollars of revenue a day, even a few hours of ransomware downtime is tens of thousands in lost sales alone. Quantifying the "what if" scenarios creates a shared language with finance.

The financial metrics that land

  • Annual Loss Expectancy (ALE). Likelihood of an incident multiplied by average loss per event. A 0.2 annual chance of a $500,000 breach is a $100,000 ALE.
  • Return on Security Investment (ROSI). Risk reduction value against the cost of the control. A control that cuts expected losses by $120,000 and costs $60,000 returns 100%.
  • Total Cost of Ownership (TCO). Beyond licensing, count implementation, maintenance, training and upgrades across a multi-year horizon.

Frame the business case

Lead the executive summary with the financial impact: "By investing $X in phishing-resistant MFA and Conditional Access, we cut expected annual losses by $Y, a net benefit of $Z." Add benchmarking, peers typically allocate 5 to 7 percent of IT budget to cyber, against your current 3 percent. Keep the visuals simple: a before-and-after loss projection, key figures called out, axes labelled in dollars, no jargon.

Maintain momentum with reporting

Once funded, give the CFO and board quarterly updates against target: Microsoft Secure Score improvement, incident counts, mean time to detect. Tie each gain back to cost avoidance, "phishing click-through down 50%, lowering potential credential-compromise cost by an estimated $30,000 a year."

Make finance a partner

Bring finance in early, invite the CFO or a delegate to risk workshops and tabletop exercises. When they see rigorous scenario modelling and clear ROI, they become advocates rather than gatekeepers. Speak in avoided losses, efficiency gains and strategic alignment, and cybersecurity stops being a line item and becomes a business enabler.

This is exactly how we shape a cybersecurity strategy and the board-ready output of a cyber health check, costed, sequenced, and framed for the people who sign off the budget.

Need a security business case your CFO will back?