Win over the board: CISO strategies for proving security’s ROI

The pressure is on for CISOs to prove that security isn’t just a cost center, but a strategic driver of business growth and resilience. But justifying security investments to the board is an ongoing challenge, especially given the cost of managing risk and protecting organizational assets. It’s a delicate balancing act where CISOs must demonstrate tangible business value without compromising key performance indicators (KPIs).

How can CISOs gain buy-in from the board? We spoke with CISOs from OneMain Financial and Kyndryl to get their top three strategies for translating security initiatives into concrete business outcomes. By focusing on these approaches, CISOs can effectively communicate the value of their security programs and gain necessary support from the board.

Best practice No. 1: Align security goals with business objectives

Security shouldn't be viewed as an isolated function, but as a strategic enabler of business success. To effectively demonstrate return on investment (ROI) to the board, CISOs must clearly articulate how their initiatives directly contribute to the organization’s bottom line.

“In my experience, board members are looking to mitigate systemic risks. They want to make sure that if a small bolt breaks, the machine will keep running,” says Jane Domboski, CISO at OneMain Financial, a company that empowers customers to reach a better financial future. “By explaining the key risks we’re trying to avoid, we can lay out a clear vision for our security strategy.”

CISOs can showcase the tangible impact of their work by aligning security goals with overarching business objectives. For instance, they can demonstrate how a robust cybersecurity posture can protect revenue streams, reduce operational costs, or mitigate risks that could hinder growth. Quantifying the impact of security on KPIs — such as how improved incident response times have reduced downtime and financial losses — will help CISOs build a compelling case for continued investment.

Best practice No. 2: Let the data do the talking

Data is the cornerstone of effective storytelling. CISOs must harness the power of metrics to create an impactful narrative that shows the value of their security investments in action. By selecting the right metrics and presenting them in a clear and concise manner, CISOs can transform complex security information into actionable insights for the board.

“At Kyndryl, we track maturity, which is what we do within our security program, and effectiveness, which is how well we do it,” says Cory Musselman, CISO at Kyndryl, the world's largest provider of IT infrastructure services. “We’ve built a ‘cyber balance scorecard’ to measure these KPIs every quarter so we can show senior leadership and the board that we’re executing against our plan.”

Key metrics such as a reduction in security incidents, improved incident response times, and increased user productivity can be powerful indicators of security effectiveness. However, it's essential to go beyond raw numbers and provide context. To ensure the board fully grasps the significance of the data, it can help to provide easy-to-understand visuals, such as charts, graphs, and other visual aids. By telling a story with data, CISOs can build a strong case for continued security investments.

“I use spider charts to show our board what our inherent risk would be if we had no security controls. Then I show them where we are now with our current set of controls and where we want to be,” Domboski explains. “This shows them that our Identity platforms are exactly what we need to implement Zero Trust and keep our business secure.”

Best practice No. 3: Go from cost center to value driver

To truly demonstrate the value of security investments, CISOs must effectively communicate how their initiatives mitigate risks and prevent costly breaches. Calculating the ROI of security initiatives can be challenging — but by quantifying the potential financial, legal, and reputational impact of security incidents, CISOs can build a compelling case for increased security spending.

“We use examples of real attacks and show how we've mitigated them,” Musselman explains. “This gives the board context and helps them better understand the ROI. It goes from being a potentially vague concept to something more real and tangible.”

To prove ROI to the board at OneMain Financial, Domboski compares the percentage of attacks that are remediated by technology to those that require human involvement. She says, “When the board can see trends in the attacks against us and how many are handled by technology alone, they understand the return on investment.”

Securing support from the board for long-term success

Convincing the board of the value of security investments is both a critical challenge and a powerful opportunity for CISOs. Proving security ROI is not merely about justifying expenditures — it’s about positioning security as a strategic driver of business success.

By adopting these best practices from experienced CISOs, you can build trust, gain support, and secure the necessary resources to protect your organization from evolving threats. The key is to tell a compelling story that resonates with the board’s priorities and proves how security safeguards your organization’s future.

Register for our upcoming webinar with Jane Domboski, CISO at OneMain Financial, and Cory Musselman, CISO at Kyndryl, to learn more about how they’re making Identity a key part of their security organization.