How CISOs can justify security investments in financial terms

In this Help Net Security interview, John Verry, Managing Director at CBIZ, discusses how insurers and financial risk professionals evaluate cybersecurity maturity through different lenses. He also shows how framing cyber risk in business terms can strengthen investment cases and elevate cybersecurity as a strategic driver.

What should CISOs know about how insurers and financial risk professionals are evaluating cybersecurity maturity?

Cybersecurity maturity is viewed differently depending on the stakeholder, and effective programs must account for these varying perspectives. Financial risk professionals approach it through an Enterprise Risk Management (ERM) lens, evaluating how well cyber risks are identified, mitigated, and aligned to financial, operational, and regulatory impacts. On the other hand, cyber liability insurers assess maturity based on exposure to cybersecurity events, using self-assessments, third party assessments, external scans, document reviews, and sometimes interviews to estimate the likelihood and cost of an incident.

The good news: aligning your program with a trusted, open framework like ISO 27001 or the NIST Cybersecurity Framework helps bridge these perspectives. It enables you to demonstrate a proactive security posture, reduce ERM-related concerns, and potentially qualify for insurance incentives — all while speaking a common language that resonates across risk, security, and executive stakeholders.

Equally (and sometimes more) important, adopting a framework-based approach, especially when validated through third-party attestations such as ISO 27001, HITRUST, or SOC 2, reinforces trust with your most critical audience: your clients.

What are the most effective ways CISOs can communicate cybersecurity risks in financial or business terms to non-technical executives?

A common challenge we see is the absence of a formal ERM program, or the fragmentation of risk functions, where enterprise, cybersecurity, and third-party risks are evaluated using different impact criteria. This lack of alignment makes it difficult for CISOs to communicate effectively with the C-suite and board. Standardizing risk programs and using consistent impact criteria enables clearer risk comparisons, shared understanding, and more strategic decision-making.

This challenge is further exacerbated by the rise of AI-specific regulations and frameworks, including the NIST AI Risk Management Framework, the EU AI Act, the NYC Bias Audit Law, and the Colorado Artificial Intelligence Act. AI does not fit neatly into a single risk category; it cuts across enterprise, cyber, and third-party domains. As a result, building an effective AI Risk Management program requires a coordinated, cross-functional approach that integrates with the broader ERM strategy.

How are forward-thinking organizations embedding cybersecurity into their overall enterprise risk management strategies, and what’s the role of the CISO in shaping that integration, especially in sectors where cyber has historically been treated as a siloed IT issue?

Cybersecurity has traditionally been seen as a ‘value preservation’ function, focused on risk mitigation. However, forward-thinking CISOs recognize that a mature, strategic security program also drives ‘value creation’ by supporting innovation/digital transformation and building stakeholder trust. When aligned with the organization’s strategic goals, cybersecurity becomes a business enabler, breaking down silos and elevating the CISO into a true strategic leader.

Unfortunately, many organizations, particularly in the manufacturing sector, have been slower to adopt this mindset. It is an industry where cybersecurity has historically taken a back seat, and is now facing significant consequences. Defense Industrial Base (DIB) suppliers risk losing existing contracts or being disqualified from new opportunities due to delayed CMMC compliance efforts, often requiring 12 to 18 months to complete. Similarly, automotive supply chain manufacturers face mounting pressure as TISAX certification becomes a baseline requirement.

The lesson is clear: cybersecurity is no longer optional and needs to be proactive, not reactive. It’s a strategic differentiator, and those who fail to act risk falling behind.

How should CISOs approach conversations about cyber risk tolerance with CFOs or risk committees, especially when it comes to justifying security investments?

Communicating security investments in clear, business-aligned risk terms—such as High, Medium, or Low—using agreed-upon impact criteria like financial exposure, operational disruption, reputational harm, and customer impact makes it significantly easier to justify spending and align with enterprise priorities.

For example: “Funding the proposed security monitoring tool is critical to achieving CMMC certification, which directly supports our $5M 2027 revenue target in the Defense Industrial Base.”

In our Virtual CISO engagements, we’ve found that a risk-based, outcome-driven approach is highly effective with executive leadership. We frame cyber risk tolerance in financial and operational terms, quantify the business value of proposed investments, and tie security initiatives directly to strategic objectives. We minimize technical jargon, emphasize trade-offs, and present leadership with clear, decision-ready options that reflect both the costs and consequences of action and inaction.

CBIZ works with many mid-market firms. How are they thinking differently about cyber risk compared to large enterprises, and what are some of the unique risk management blind spots or opportunities you’re seeing in that segment?

Mid-market firms often lack the internal resources or specialized expertise to stay ahead of emerging cybersecurity, privacy, and AI-related risks and regulations. The consequences can be significant, from data breaches and regulatory penalties to missed market opportunities.

This challenge has created a strategic opportunity for both mid-market firms and solution providers: virtual services that deliver CISO, Data Privacy Officer, CIO, and legal capabilities on-demand, often at a fraction of the cost of full-time staffing. These models enable faster compliance, stronger resilience, and more agile risk management.