Company leaders need to recognize the gravity of cyber risk, turn awareness into action, and put security front and center
07 Oct 2025
•
,
5 min. read
These are nervy times for many business leaders. Persistently high interest rates, geopolitical tensions, supply chain disruption and abrupt changes to trade policies have created a new climate of uncertainty. Against this backdrop, many could be forgiven for stalling investment and looking for areas in which to cut costs. There are several reasons why cybersecurity should not be among them.
As an IT or security leader, you will already know why. But does your CEO, or your board? Research reveals that only 29% of CISOs believe they have enough budget to achieve their security goals. Yet 41% of board members think budgets are appropriate. If such a gap exists in your organization, it’s time to make a stronger case for cybersecurity. And since October is Cybersecurity Awareness Month, there’s no better time to recognize the gravity of cyber risk, close perception gaps and put security front and center, and ultimately turn awareness into action.
SMBs are still putting out fires
Cybersecurity is certainly better understood and appreciated at senior levels than it used to be. But it’s still viewed as a cost center rather than a strategic necessity, especially by SMBs. According to the Global Technology Industry Association (GTIA), nearly half (46%) of small and medium enterprises describe cyber as an area only of “moderate importance.” A further 12% of SMB respondents admit they’re still in tactical/reactive mode. In other words, they’re constantly putting out fires, rather than spending time and money upfront to stop fires starting in the first place.
There are two ways to change this mindset. First, articulate more clearly how cybersecurity can help your board avoid potentially critical business risk. And second, make the case more forcefully for cyber as a business enabler.
Counting the cost of inadequate cybersecurity
The good news is that there’s no shortage of case studies you could use to convince the board of the potential cost of insufficient cybersecurity spend:
- M&S predicts lost operating profit of £300 million from a recent ransomware attack that forced its e-commerce systems offline for several weeks.
- UnitedHealth Group estimates the cost of a ransomware attack on Change Healthcare to be nearly $2.9 billion in 2024.
- Background check specialist National Public Data was forced to file for bankruptcy following a 2024 breach which exposed nearly three billion records.
Another good resource is IBM’s Cost of a Data Breach report, which not only outlines the average cost of a breach ($4.4m), but also how much specific technology investments or cybersecurity strategies can shave off this amount. The bottom line is that the longer threat actors are allowed to remain inside your network, the more expensive it could end up being. So products like SIEM, SOAR and threat intelligence all rank high for potential cost savings. Even better, it also lists more strategic endeavors, like DevSecOps, the appointment of a CISO, and board-level oversight.
This kind of intelligence can hopefully start to shift the conversation away from reactive spend to the development of a more considered, security-by-design culture in your organization.
From cost center to business enabler
If the risk of financial and reputational damage isn’t enough to shift the perception of cybersecurity in your organization, maybe the compliance argument will help to get these conversations over the line.
The likes of NIS2 and DORA in the EU now demand cybersecurity be treated as an ongoing risk management program designed to enhance business resilience. Senior leadership is expected to directly define, approve, and oversee these programs, and undergo mandatory training so members understand the risks and make informed decisions. They are to be held personally liable for implementation.
However, not all SMBs will be covered by such progressive regulations. So how do you persuade executives that don’t believe their organization is big enough to be a breach victim, that “good enough” security really isn’t good enough? Appeal to their business instincts. In this way, there’s a strong case for saying that an effective cybersecurity strategy could:
- Help to protect IP and competitive differentiation. This will be particularly important in certain sectors like manufacturing, technology and media.
- Enable expansion into new markets where rigorous regulations may apply, like the EU, or some US states (e.g., California’s CCPA data protection law).
- Protect digital transformation. If your organization suffers a critical cyberattack, it might halt projects, divert resources, erode stakeholder trust and cause business priorities to shift.
- Help to build customer loyalty and drive profits by bringing innovative products to market. All companies are to an extent software companies today. But if you release an insecure product, it might destroy reputation and customer loyalty.
The message and the messenger
So you have the right ideas, but the board still isn’t listening. What could be the problem? The disconnect can come from both sides. On the one hand, business leaders are often culturally predisposed to think of cyber as an “IT issue” divorced from the serious business of running an organization. But on the other, sometimes CISOs can undermine their cause, by failing to speak the language of the business.
To overcome this challenge, consider:
- Framing cybersecurity as a business risk; ditching the technical jargon and talking about the business impact of various scenarios.
- Using financial and business aligned metrics rather than security-centric ones. The IBM study could be useful here, as might Total Economic Impact studies for coveted solutions.
- Using real-world examples and cautionary tales (like the ones above) when trying to persuade the board to sanction specific investments.
- Putting your organization’s security posture into context. In other words, use intelligence on what similar companies are investing in and why, and what they’ve achieved. This will help leaders to understand where you may be falling behind.
- Reporting little and often to the board. They don’t want to be drowned in data, so keep presentations short and sweet to get their attention. But equally, the threat landscape moves so fast that regular updates are important.
- Building personal relationships with board members and/or senior executives. It always helps to have an advocate at the top table.
The most resilient companies are those that shift from viewing cybersecurity as a cost of doing business to a driver of trust and long-term value. Ultimately, it’s far cheaper to build security by design into new business projects and product offerings than to retrofit it when something goes wrong. You already know this. It’s now your job to persuade the board.
