If you’re a CISO, you’ve probably had this experience: you walk into a board meeting armed with metrics, updates, and a clear picture of the threats your team has neutralized — and you walk out feeling like everyone just heard “we need to spend more money.”

It’s not that executives don’t care about security. It’s that the way most security leaders talk about their work doesn’t connect to what the business side actually cares about. Risk scores, vulnerability counts, and threat landscapes are meaningful to you. To your CFO, they’re abstractions.

The good news is that this is a framing problem, not a value problem. Your security function is already protecting the company financially — you’re just not getting credit for it. Here’s how to change that.

Why the “cost center” label sticks

Security has a visibility problem. When your team does its job well, nothing happens. No breach, no downtime, no regulatory fine. That’s a hard story to tell in a quarterly business review, because “nothing bad happened” doesn’t show up on a balance sheet.

Meanwhile, what does show up is the budget. Security spending has grown significantly over the past decade, and executives notice. When they can see the cost but can’t see the return, it’s natural for them to start treating security like overhead — necessary, maybe, but not strategic.

Other functions have faced the same challenge. Legal departments were once seen as pure cost centers, too. The ones that shifted that perception did it by tying their work to business outcomes: deals closed, disputes avoided, regulatory penalties prevented. Security can do the same thing — it just requires a different conversation.

Shift from “risk reduction” to “financial protection”

Here’s the core reframe: stop talking about risk and start talking about money.

Executives understand financial exposure. They understand the cost of downtime, the price of regulatory noncompliance, and the impact of reputational damage on revenue. What they don’t always understand is how your security program maps to those numbers.

Instead of reporting that you “reduced the attack surface by 30%,” try something like: “Our endpoint detection investment has reduced our estimated exposure to ransomware losses by $4 million annually, based on industry claims data for companies our size.”

That’s the same achievement, repackaged in a language the CFO already speaks. You’re not dumbing anything down — you’re translating.

Cyber insurance claims data is particularly useful here. It gives you real-world loss figures tied to specific types of incidents, which means you can ground your estimates in something more concrete than a risk matrix. When you can say “companies like ours that don’t invest in X see average losses of Y,” you’re no longer making a theoretical argument. You’re pointing at evidence.

Speak the language of the business

One of the fastest ways to shift how you’re perceived is to change the words you use. Here are a few swaps that can make a real difference in how your updates land with non-technical stakeholders:

Instead of: “We need to improve our patch management cadence.” Try: “We have a window of exposure on some systems that could lead to unplanned downtime. Here’s our plan to close it and what it costs if we don’t.”

Instead of: “Our phishing simulation click rate dropped to 12%.” Try: “Our employee training program has reduced the likelihood of a successful social engineering attack — the number one cause of claims in our industry — by X% this year.”

Instead of: “We’re implementing zero trust architecture.” Try: “We’re restructuring access controls to limit the monetary damage of any single compromised account, which is how most costly breaches start.”

Notice the pattern: every reframe ties back to a dollar figure, an operational impact, or both. You’re adding a layer of business context that makes the information actionable for your audience — not sacrificing technical accuracy, just making it land differently.

It also helps to align your priorities explicitly to the things your CFO and board already track. Revenue protection, operational continuity, regulatory compliance costs, and M&A risk are all areas where security has a direct, measurable impact. When your roadmap maps to their priorities, you stop being an expense line and start being a safeguard.

Use data to make the case

“Trust me, this matters” is not a strategy. If you want to be treated as a strategic function, you need to bring evidence — the same way the finance team does.

Loss trends are another powerful tool. When you can show the board that the average ransomware claim in your industry costs a specific dollar amount, and then explain how your program reduces the likelihood and severity of that kind of event, you’ve made a quantifiable argument. You’re showing your work, not asking for faith.

And don’t overlook the story that your own incident data tells. Track near-misses, blocked attacks, and averted losses. Keep a running record of what your team has prevented, translated into estimated dollar impact. Over time, this becomes a compelling narrative: here’s what we’ve saved the organization, quarter over quarter.

Finally, benchmarking. How does your security spending compare to peers in your industry and at your revenue level? Are you spending more or less, and what are you getting for it? Benchmarking isn’t perfect, but it can give you additional context to help frame how wisely your budget is allocated when used in conjunction with a discussion about return on investment. 

Forge alliances before budget season

If the only time you’re making the case for security’s value is during the annual budget process, you’ve already lost. By that point, the CFO has a number in mind, and you’re negotiating against a ceiling.

The CISOs who successfully shift the cost center perception do it year-round. A few strategies that work:

Regular touchpoints with finance. Don’t wait for budget season to talk to your CFO. Share quick updates — a relevant breach in the news, a change in the regulatory landscape, a claims trend that affects your industry. You’re creating a shared understanding over time, so that when budget conversations do happen, your CFO already has context.

Involve legal and compliance early. These teams often face the same “cost center” perception, and they’re natural allies. When you collaborate on regulatory readiness or incident response planning, you’re demonstrating cross-functional value that’s hard to dismiss.

Show up for business decisions. When there’s a new product launch, an acquisition, or a vendor evaluation, be at the table — not to say no, but to help assess and manage the risk vs. reward  in dollar terms. The more you’re seen as an enablement partner in business decisions, the less you’ll be seen as a cost of doing business.

Educate the board in small doses. Board members don’t need (or want) a deep dive into your tech stack. But a two-minute update that connects a recent industry trend to your company’s specific exposure? That earns credibility and keeps security top of mind between annual reviews.

You don’t need to “sell” security to your leadership team. The value is already there — in the losses your team has quietly prevented, the continuity they’ve maintained, and the exposure they’ve reduced.

What you do need to do is make that value visible, in terms your stakeholders already understand. Swap risk language for dollar language. Bring data, not just expertise. Cultivate relationships with business leaders before you need their support.

When you do that, you stop being the person who spends money on things the board can’t see — and start being the person who protects the company from losses they can’t afford.