Communicating Cybersecurity ROI to Your CFO

Learn how to make the best case for cybersecurity spending in your organization with key tips for communicating CISO to CFO.
April 4, 2023

Over the past several months, organizations have felt the strain of tumultuous economic conditions. Budget reductions ranging in severity from technology spending cutbacks to throngs of employee layoffs have sent waves of uncertainty throughout the workforce. And while cybersecurity spending has historically been shielded from budget slashing, as the risk exposure could lead to greater costs than the technology itself, it is no longer immune from the chopping block.

CFOs are tasked with evaluating all aspects of profitability across the organization, making it sometimes difficult for CISOs and security leaders to prove the business value of security spending. To gain a deeper understanding of how this evaluation process affects technology adoption, I spoke with a few key Chief Financial Officers in the industry.

In a series of recent blog posts, I chatted with Sam Wolff at Domestika, Adam Meister at Clari, and Bill Losch, formerly at Okta to get their perspective on the current state of the macroeconomic environment. This blog is a culmination of their expert insights and advice which I hope will help your organization prioritize cybersecurity technology.

Starting the Conversation with Your CFO

When it comes to evaluating technology spend of any kind, CFOs must look through a more meticulous lens than ever before. It’s important for CISOs to go into the budget conversation with some level of risk tolerance.

The reality in this environment is that CFOs and internal finance teams are more risk-tolerant and are willing to make more difficult compromises. CFOs won’t be able to allocate the same budget to cybersecurity they did a year ago which means CISOs and security leaders must be strategic in prioritizing the most impactful features of the technology they are championing and how to position them as invaluable to the organization. This will require CISOs to reassess the technology they are currently using and strike a delicate balance between the risk and the reality of their spending. It’s crucial to set expectations for both sides of the table from the onset. Come to the conversation with a realistic mindset that not all of your asks will get funded.

Making the Case for Security Spending

Once you’ve set the tone for the budget discussion, there are a few best practices you’ll want to consider when making your case. The following tenets were suggested by the CFOs we spoke with. Using these tactics, you can ensure a more productive and fruitful conversation.

Speak a Common Language

CFOs understand risk and tradeoffs well, so present your security plan in that light. Rank your risk areas and clearly (in a non-jargon way) explain the impact of the risk area on the company, the coverage, and how the investment will help mitigate the risk.

Outline Risk Priorities

Highlight the top risk areas requiring the most attention and how those risks can be remediated. Be prepared to rank priorities based on risk, knowing that a solution to every need may not be possible.

Provide the Right Data

Utilize reputable threat reports and case studies from businesses within the same industry. This allows your CFO to not only see the potential risk of what could happen by not implementing a security solution but also provides them with a framework of knowledge about cybersecurity as a whole.

Distinguish Security Solutions

One of the most difficult things for CFOs and security teams to see eye to eye on is the need for more than one security tool as there's so much overlap in security. Be prepared to explain why multiple tools are needed and if/how they can work together to create a holistic security stack.

Choosing the Right Solution for Your Needs

Of course, the most important decision will be choosing the right security solution for your organization. There are numerous factors to consider when evaluating all of the technology our market has to offer. Some of the most crucial benefits aside from superior threat detection and remediation, are cost efficiency and the ability to speed up manual processes. You should invest in a cybersecurity platform that effectively protects your organization, saves time and effort, and is cost-effective overall. Showcasing a solution that encompasses these values to your CFO will only serve to further your case for security spending.

See the ROI Your Organization Could Experience with Abnormal

We know CISOs have several options when it comes to selecting the right cybersecurity technology for your organization. Abnormal Security checks all of your boxes, protecting organizations from the most advanced attacks, saving SOC hours, and providing high ROIs across the board. Our behavioral AI-based technology leverages machine learning to stop even the most sophisticated email attacks that evade traditional security solutions.

In order to assist security leaders like you in building an effective business case for email security investment, we created an ROI calculator that demonstrates the return on investment you could experience with Abnormal Security. Try it today!

Communicating Cybersecurity ROI to Your CFO

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B travelscams
Cybercriminals exploit stolen financial data to offer consumers heavily discounted travel deals. Learn how these email scams work and tips to avoid falling victim to them this summer travel season.
Read More
B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More