Episode 51 — Build Business Support for Security Work Using Value, Cost, and Tradeoffs
In this episode, we focus on how to build real business support for security work by speaking the language that decisions are made in, which is value, cost, and tradeoffs rather than fear. Fear can get attention for a moment, but it rarely sustains funding, and it often creates defensive reactions that make cooperation harder. Leaders are paid to make choices under uncertainty, and they need security teams to translate technical risk into decision-ready information. That translation has to feel grounded, not theatrical, and it has to respect the reality that security competes with growth, customer experience, and operational efficiency. When you communicate well, you stop being the department of no and become a partner in running the business safely. When you communicate poorly, security is seen as an overhead cost with unclear benefits, and even necessary work becomes harder to execute. The goal is not to sugarcoat risk, but to present it in a way that aligns to business outcomes and can be acted on. If you can do that consistently, support becomes durable because leaders understand what they are buying and why it matters.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
Value should be defined in outcomes that the business already cares about, such as reduced loss, improved stability, and increased trust. Reduced loss can mean fewer incidents, smaller incident impact, reduced fraud, fewer outages triggered by security events, and lower remediation costs when things go wrong. Stability can mean predictable operations, fewer emergency changes, and reduced downtime from vulnerabilities or misconfigurations that create cascading failures. Trust can mean customer confidence, smoother enterprise sales cycles, fewer compliance-related delays, and stronger brand resilience when competitors stumble. Value also includes internal trust, because teams work faster when they believe systems are dependable and governance is predictable. The critical move is to connect the security initiative to an outcome that has a clear business impact, even if the impact is described as risk reduction rather than direct revenue. Leaders can fund risk reduction when the value is articulated as avoiding meaningful loss and preserving the ability to operate. Security teams sometimes hesitate to talk in these terms because they feel intangible, but outcomes become tangible when you define what changes operationally and what failure modes are being reduced. The best value statements describe how the business will behave differently after the initiative succeeds. When value is clear, support becomes easier to win.
Cost framing is where many security proposals fail, because they present cost only as money and ignore the other costs leaders feel, such as time and operational disruption. Money matters, but the time cost of engineering effort, the opportunity cost of delaying other work, and the disruption cost of changing systems often matter just as much. A mature proposal frames cost across these dimensions so leadership can understand what the organization will actually experience. Time cost includes not only implementation time but also ongoing maintenance and operational load, because some controls require constant care. Operational disruption includes migration risk, training needs, workflow changes, and the possibility of short-term productivity loss while teams adapt. Cost framing should also include how costs can be reduced through phasing, automation, or reuse of existing capabilities. When you frame costs honestly, leaders trust the proposal more because it does not feel like a surprise waiting to happen. Honesty about cost also makes tradeoff discussions more productive because everyone is working from the same reality. The goal is to make the cost visible without making it feel like punishment.
Tradeoffs should be presented clearly, including what happens if nothing changes, because decisions are comparative, not absolute. Every initiative competes with alternatives, and leaders need to see the consequences of each choice. The most common tradeoff is between stronger controls and faster delivery, but there are also tradeoffs between centralized tooling and team autonomy, between stricter access control and short-term convenience, and between investing now and paying more later during incidents. Presenting tradeoffs requires you to state what you are choosing not to do or what you will do later, because that is where decisions become real. It also requires you to describe the baseline, meaning the current state and its likely trajectory if left unchanged. The do-nothing option should not be framed as moral failure, but as a legitimate option with known consequences, such as continued incident frequency, continued audit pain, continued downtime risk, or continued reliance on manual processes. When leaders see the do-nothing consequences, they can weigh whether the current risk is acceptable. Tradeoffs also help you avoid overpromising, because you can state what the initiative will not solve. A clear tradeoff narrative is more persuasive than a perfect-sounding plan.
A frequent pitfall is asking for funding without tying it to business priorities, because leadership budgets are anchored to goals like growth, customer retention, operational excellence, and regulatory commitments. If a security proposal does not connect to those priorities, it will look like a nice-to-have even if it is important. Tying security work to business priorities does not mean making up revenue claims, it means connecting the initiative to the conditions that enable the business to execute. For example, if the business is pushing into enterprise markets, security maturity and compliance readiness may be sales enablers. If the business is emphasizing reliability, reducing outage risk from vulnerabilities may be aligned with availability goals. If the business is under regulatory scrutiny, building repeatable evidence pathways and privacy controls supports compliance commitments. The connection should be specific, not generic, because generic alignment language reads like a template. It should also reflect the organization’s risk appetite, because different businesses accept different levels of risk depending on their model and constraints. When security work is tied to priorities, it becomes part of the plan rather than an external request.
A quick win that helps decisions land is to propose options at different price points, because options turn a request into a choice. A single expensive proposal invites rejection, while a set of options invites negotiation and collaboration. Options should be meaningfully different, not cosmetic, and they should be tied to different risk reduction levels and different operational impacts. For instance, one option might be a minimal improvement using existing tools and processes, another might be a moderate investment that automates key controls and reduces operational load, and a third might be a comprehensive approach that delivers deeper risk reduction and resilience. Each option should include what it accomplishes, what it costs, what tradeoffs it introduces, and what residual risks remain. Options also allow leadership to choose a path that fits current constraints while preserving a roadmap to stronger posture later. This approach shows you understand budget realities and are not trying to force a single outcome. It also makes your proposal feel like a strategic plan rather than a demand. When leaders can pick an option, they are more likely to commit.
Scenario rehearsal is useful here: an executive challenges the benefits, and you need to answer crisply without drifting into jargon or alarm. The best response starts with the outcome, not the tool, and it uses a small number of concrete claims. You can explain what loss or disruption the initiative reduces and how that reduction shows up operationally, such as fewer emergency fixes, fewer customer-impacting incidents, or faster detection and containment. If challenged on uncertainty, you acknowledge uncertainty and then explain why the initiative is a rational investment given the current exposure and dependency. You avoid dramatic language and instead use clear comparisons, such as the cost of the initiative versus the cost of recent incidents or the expected cost of a plausible failure. Crisp answers also come from being able to say what you will measure to show progress, because measurement shifts the conversation from belief to evidence. If the executive asks why now, you connect to a current business driver, such as upcoming audits, increased scale, new data exposure, or increased threat activity against your industry. The tone matters, because executives respond better to calm confidence than to urgency theater. When you answer crisply, you signal maturity and make it easier to approve the work.
Risk stories can be effective, but they must use numbers rather than dramatic language, because numbers make the story comparable and actionable. A risk story should describe a plausible failure mode, the exposure path, the impact range, and the factors that influence likelihood. Numbers do not have to be perfect, but they should be reasonable and transparent, such as ranges based on historical incidents, industry benchmarks, or internal metrics like downtime hours and response costs. You can quantify time impacts, such as how long services would be disrupted, how long it would take to detect and contain, or how many staff-hours would be consumed by response. You can quantify business impacts, such as customer churn risk, support load increases, contractual penalties, or delayed product delivery due to emergency remediation. The goal is to help leadership see that risk is not an abstract cloud but a set of costs that can be influenced. Dramatic language often backfires because it feels manipulative, while numbers invite scrutiny and refinement. When you present risk with numbers, you also make it easier to compare options because each option can be described as moving the numbers. This turns security into a decision science rather than a persuasion contest.
Alignment to strategic goals and compliance needs is what turns security initiatives into enablers rather than obstacles. Strategic goals might include expansion to new markets, improved reliability, faster product delivery, or stronger customer trust. Compliance needs might include specific audit requirements, privacy obligations, or contractual expectations from enterprise customers. Security initiatives can support these goals by reducing friction, such as making evidence collection continuous rather than manual, or by enabling secure onboarding of new partners and customers. Alignment should be expressed as a direct relationship between the initiative and a goal, not as a vague statement that security supports everything. For example, if the goal is faster enterprise sales, explain how stronger controls reduce security questionnaire friction and reduce the risk of deal delays. If the goal is platform reliability, explain how vulnerability management and access controls reduce outage risk from compromised systems or emergency patches. If the goal is regulatory readiness, explain how continuous checks and auditability reduce audit scramble and reduce noncompliance risk. When alignment is specific, leadership can see the initiative as part of delivering business outcomes. That framing changes the conversation from cost to investment.
Progress must be shown with metrics that indicate risk reduction, because leadership support strengthens when they can see movement rather than promises. Metrics should be chosen carefully, because measuring the wrong thing can create perverse incentives or false confidence. Useful metrics often include exposure reduction, such as fewer public storage findings, reduced privileged access sprawl, or increased coverage of encryption and monitoring. They can include response improvements, such as faster detection time, faster containment time, or reduced incident volume in specific categories. They can include compliance readiness improvements, such as increased percentage of controls with automated evidence paths or reduced number of unresolved exceptions. Metrics can also track operational burden, such as reduced manual review time due to automation, which is valuable because it frees staff to focus on higher-value work. The key is to tie metrics back to the outcomes and tradeoffs discussed earlier so they are meaningful. Metrics should be reported consistently and accompanied by context, because raw numbers without interpretation can be misleading. When metrics show progress, leaders feel confident that the investment is producing value. That confidence makes future asks easier.
A memory anchor that helps you prepare decision-ready proposals is value, cost, tradeoffs, and evidence win decisions, because it reminds you what leaders need. Value describes what improves and why it matters to the business. Cost describes what the organization must spend in money, time, and disruption. Tradeoffs describe what you gain and what you give up, including the do-nothing consequence. Evidence describes how you will prove progress and how you will demonstrate that the initiative is working. This anchor prevents the common mistake of presenting a technical plan without the decision frame around it. It also makes your communication more disciplined, because you can structure your pitch around these elements and avoid wandering into detail that does not support the decision. Evidence is particularly important because it reduces the trust burden, meaning leadership does not have to take your word for it. When you come with value, cost, tradeoffs, and evidence, you respect leadership’s job and make it easier to approve the work. Over time, this approach builds credibility for the security function. Credibility is what turns security into a strategic partner.
Building allies is another critical component, and it happens by involving stakeholders early and often rather than presenting a finished plan at the last moment. Stakeholders often include engineering leaders, operations teams, legal, compliance, product managers, and customer-facing leaders who feel the impact of security controls. Early involvement helps you discover constraints and opportunities, such as existing tooling, upcoming platform changes, or business deadlines that the initiative must respect. It also helps create shared ownership, because stakeholders are more likely to support a plan they helped shape. Involving people early also reduces surprise resistance, because objections are surfaced while there is still time to adjust. Allies can help with resource commitment, because they can allocate staff time, endorse priorities, and reinforce the narrative that the work matters. The relationship-building is not about politics for its own sake; it is about aligning incentives so security improvements do not feel imposed. When stakeholders understand the value and the tradeoffs, they can advocate for the initiative in rooms you are not in. That is how support scales beyond a single presentation. Building allies turns security work into a shared program rather than a siloed request.
For a mini-review, state your ask in one sentence, because clarity is a powerful filter for whether your proposal is ready. The one sentence should include what you want, what it will accomplish, and what it requires, without drifting into technical jargon. A strong ask is concrete enough that a leader could repeat it accurately after the meeting. It should not include ten conditions or three separate initiatives, because that indicates you have not prioritized. If you cannot state the ask clearly, you likely have scope ambiguity or misaligned stakeholders, and that will show up during execution. This one-sentence discipline also makes tradeoffs easier, because you can test whether a feature request or requirement change still serves the core ask. It helps in executive conversations because time is limited and attention is scarce. A clear ask is respectful and persuasive because it signals that you know what you want and why. It also sets the stage for options, because you can present variants of the same ask at different levels of investment. Clarity is not a stylistic preference; it is a project control.
To conclude, draft a three-option proposal for one initiative, because this structure forces you to articulate value, cost, tradeoffs, and evidence in a way that leaders can act on. Each option should describe the outcome, the timeline, the cost in money and staff time, and the operational disruption expected. Each option should also describe what risks it reduces and what risks remain, so leadership understands the residual exposure. Include the do-nothing baseline as a comparison point, not as a scare tactic, but as a realistic continuation of current conditions. Define how you will measure progress, such as reduction in specific exposures, increased control coverage, or improved response metrics. Present the options as a path, where smaller options can be stepping stones to larger improvements rather than dead ends. This approach shows strategic thinking because it acknowledges constraints while still pushing toward better security posture. It also creates a collaborative decision moment, because leadership can choose an option and feel ownership of the tradeoff. When you consistently present initiatives this way, you build durable business support because you make security decisions clear, rational, and grounded in outcomes rather than fear.
