For decades, cybersecurity has been trapped in a paradox. While boards and CEOs consistently rank it as a top business risk, the security budget is often treated as a burdensome cost center. This model is broken.

In an economy built on digital trust, a reactive, compliance-driven security posture is no longer just a financial drain—it's a strategic liability. The modern enterprise demands a new paradigm: cybersecurity as a core business driver, a competitive differentiator, and a direct enabler of revenue and growth.

This guide provides the strategic framework and actionable playbook for the Chief Information Security Officer (CISO) to lead this critical transformation. You will learn how to shift the conversation from technical jargon to the language of business value, change how protection is measured and funded, and ultimately reposition your security program as a powerful engine for revenue and growth.

Related Documents

• Note - Security as a Growth Engine

  • A summarized version of this Guide in a quick and convenient format.

Templates

• Business Model Canvas Template

  • A one-page template for mapping your company's core business functions.

• Crown Jewel Analysis Template

  • A multi-tabbed spreadsheet for documenting your CJA.

• Crown Jewel Analysis - Financial Impact Job Aid

  • A detailed guide to calculating the financial impact of a crown jewel disruption.

• Strategy Map Template

  • A spreadsheet for creating your Strategy Map.

• Strategy Map Diagram

  • A document that uses the Table’s values to visualize your Strategy Map.

• Strategy Map Job Aid

  • A guide for facilitating a workshop to build your Strategy Map.

Earning a Seat at the Table

Before a CISO can change the conversation, they must earn the right to have it. This requires moving from a technical-centric viewpoint to a business-first mindset. This transformation is achieved through the employment of three business strategy tools: the Business Model Canvas, the Crown Jewel Analysis, and the Business Strategy Map.

Business Model Canvas

The first step is to deconstruct how your company makes money. The Business Model Canvas is the ideal tool for CISOs to quickly understand and map the core mechanics of their business.

Templates: To support your efforts, we've created companion documents. (See: Templates)

• What It Is: The Business Model Canvas is a one-page strategic management template for developing new business models or documenting existing ones. It visualizes the nine essential building blocks of a business, including customer segments, value propositions, revenue streams, and key activities. For a helpful video explanation, watch: The Business Model Canvas Explained.

• Why It's Valuable: For a CISO, the canvas provides a "Rosetta Stone" for translating security controls into business terms. It allows you to pinpoint exactly where security initiatives can protect or enable the company's most critical value-creating activities. Instead of talking about protecting servers, you can talk about ensuring the availability of the "Key Activity" that serves your most profitable "Customer Segment."

• How to Use It:

  1. Obtain the Canvas

     • Download the provided Template - Business Model Canvas and schedule a meeting with your business partners.

  2. Map the Business

     • Work with your partners to fill out the nine blocks of the canvas, focusing on how the company creates, delivers, and captures value.

  3. Overlay Security

     • Using a Threat Model perspective, for each block, ask: 

     • “What would fail if this block or item was attacked?”

     • "Which security services are essential for this to function?"

For example: The Customer Relationship block is enabled by a secure CRM, and the Revenue Stream block is protected by a secure billing platform.

Tip: The results of the Business Model Canvas can be mapped to the Cybersecurity Framework of your choice. This exercise creates a direct line of sight from your security program to the company's P&L.

Crown Jewel Analysis

Not all assets are created equal. A Crown Jewel Analysis is a foundational exercise to identify the most critical data, systems, and processes that, if compromised, would cause catastrophic harm to the business.

Templates: To support your efforts, we've created companion documents. (See: Templates)

• What It Is: A Crown Jewel Analysis (CJA) is a collaborative, business-first process for identifying and prioritizing an organization's most critical assets. It is immediately followed by a Business Impact Analysis (BIA), which uses a NIST-aligned framework to quantify the financial, operational, and reputational impact of a disruption to those assets.

• Why It's Valuable: The CJA is the definitive tool for focusing limited security resources on what matters most. It moves the conversation from protecting a vast inventory of IT assets to defending the specific business functions that generate revenue and create value. The final, prioritized list becomes a defensible, data-driven foundation for all subsequent security investments and risk decisions.

• How to Use It:

1. Facilitate the Workshop

   • Begin with a collaborative workshop with business leaders, using the strategic questions in the Crown Jewel Analysis Job Aid to brainstorm a list of potential crown jewels.

2. Document and Analyze

   • For each potential crown jewel, use the Crown Jewel Analysis Template spreadsheet to document its business owner, function, and the data it contains.

3. Quantify the Impact

   • For each confirmed crown jewel, assess the business impact of its failure. You can use the Crown Jewel Analysis - Financial Impact Job Aid to assist this process.

4. Optional

   • While the primary objective of a CJA is to identify applicable Crown Jewels, the MTD, RTO, RPO, and Security Controls values can be populated if desired. For any risk beyond tolerance, provide a mitigating control to help reduce the identified risk.

Business Strategy Map

Once you know what's important, you need to tell the story of how you protect it. A Strategy Map is a powerful, one-page visual that shows how your security program directly enables the company's strategic objectives.

Templates: To support your efforts, we've created companion documents. (See: Templates)

• What It Is: A Strategy Map, first introduced in the Harvard Business Review article, "Having Trouble with Your Strategy? Then Map It," is a diagram that illustrates the cause-and-effect relationships between strategic objectives. It is organized into four perspectives—Financial, Customer, Internal/Operational, and Learning & Growth—and shows how foundational capabilities enable top-level business goals.

• Why It's Valuable: For a CISO, this is the ultimate communication tool for the boardroom. It moves the security conversation away from isolated technical projects and places it directly into the context of the business's value-creation narrative. It allows you to tell a clear, logical story that connects an investment in a security capability directly to a top-level company mission.

• How to Use It:

1. Follow the Job Aid

   • Use the Strategy Map Job Aid as a step-by-step guide for facilitating a workshop with executive stakeholders.

2. Populate the Template

   • Fill out the Strategy Map Template spreadsheet with the objectives identified in your workshop.

3. Visualize the Narrative

   • Use the Strategy Map Diagram Template to create a compelling, one-page visual of your strategy for board presentations.

4. Tell the Story

   • Read the map from the bottom up to tell a powerful narrative, such as:

"Our investment in Cloud Security (Security Capability) fosters a culture of resilience (Organizational Capability), which enables platform availability (Internal Process), which minimizes revenue loss (Financial Goal), which allows us to be the benchmark for reliability (Customer Objective)."

Outcome Driven Metrics (ODMs)

To change the conversation, you must first change the language. The solution, advocated by leading analysts at Gartner and detailed in publications like Cybersecurity Compass, is to adopt Outcome-Driven Metrics (ODMs).

ODMs are direct measurements of an organization's actual protection level, shifting the focus from tracking security activity to measuring security effectiveness. Advocated by industry analysts at Gartner, ODMs provide a clear, quantifiable link between security investments and the value the business receives. When an ODM improves, the organization is measurably safer, allowing leaders to have meaningful, data-driven conversations about risk and resilience.

Examples

Best Practices

• Be Business-Focused: Frame each ODM to answer a direct business question, not a technical one.

• Measure Outcomes, Not Activity: Focus on results (e.g., risk reduction) rather than effort (e.g., number of emails blocked).

• Use Standardized Metrics: Whenever possible, use established metrics to allow for peer comparison and to demonstrate a standard of due care.

• Keep it Simple: Limit your top-level board reporting to a handful of the most impactful ODMs to maintain focus and clarity.

How to Deploy

1. Identify Crown Jewels: First, work with the business to identify the most critical assets, data, and processes.

2. Select Relevant ODMs: Choose a small set of ODMs that best represent the protection status of those crown jewels.

3. Establish a Baseline: Measure your current performance for each selected ODM to establish a starting point.

4. Establish Targets: Define clear, achievable targets for improving each ODM over a specific timeframe.

   • Example: Improve MFA Coverage from 80% to 95% in six months

5. Report and Iterate: Regularly report progress to business stakeholders, using the ODMs as the centerpiece of your value discussions.

Directory

The most freely available and reputable list is the CISA Cybersecurity Performance Goals (CPGs). CISA's CPGs are the best resource for a full inventory because they are:

• Authoritative: Developed by the U.S. Cybersecurity and Infrastructure Security Agency, this is not a vendor's opinion but a national-level recommendation of impactful security outcomes.

• Structured: Every goal is inherently an outcome, which directly aligns with the ODM philosophy.

  • Example: MFA is implemented on all internet-facing services

• Comprehensive: The list is extensive, covering everything from Account Security and Device Security to Data Security and Vulnerability Management.

• Public and Free: Unlike analyst frameworks that often sit behind a paywall, the CISA CPGs are completely free and accessible to everyone.

Protection Level Agreements (PLAs)

A Protection Level Agreement (PLA)—a concept pioneered by Gartner—is a formal agreement between the cybersecurity function and the business that translates an ODM into a strategic, costed decision. A PLA presents business leaders with a menu of options, where each option offers a specific level of protection (measured by an ODM) for a defined cost. This transforms the CISO from a budget defender into a strategic advisor and makes risk appetite a shared, transparent, and defensible business decision. A PLA's primary benefit resides in its ability to transform risk appetite questions into concrete business choices.

ODMs = the "What"

PLAs = the "How much"

Examples

In every case, the CISO is now a strategic advisor, not a supplicant. The business leader is an informed, empowered partner. If they choose the less expensive option and a corresponding incident occurs, it isn't a security failure; it's the materialization of a business risk that was explicitly understood, accepted, and funded by the business itself.

Best Practices

• Present Clear Choices: Seek to offer at least two distinct options with clear cost and outcome differences.

• Include Benchmarks: Provide industry or peer benchmarks where available to help business leaders contextualize their decision.

• Frame as a Business Decision: Use provocative, business-focused questions to make the consequences of the decision tangible.

• Document Everything: Formally document the chosen PLA level and the business owner's sign-off to ensure shared accountability.

How to Deploy

1. Select an ODM: Choose a single, impactful ODM to build a PLA around.

   • Example: Ransomware Recovery Coverage

2. Model the Scenarios: Work with finance and security teams to model the costs (personnel, technology) required to achieve different performance levels for that ODM.

3. Define the Options: Create a simple, clear presentation that outlines the options, costs, and associated ODM targets.

4. Engage the Business Owner: Schedule a meeting with the relevant business leader to present the PLA options and facilitate a decision.

5. Formalize and Govern: Once a decision is made, formalize it in a document and incorporate the target ODM into your regular performance reporting.

Strategies to Unlock Potential

Once you can measure and communicate the value of protection, you can leverage it to drive top-line growth. A mature, economic-aligned security program is a powerful competitive asset. The conversation is no longer just about preventing loss, but about creating tangible value. This isn't just a theoretical shift.

According to the EY Global Cybersecurity Leadership Insights Study, cybersecurity contributes between 11% and 20% of value—a median of $36 million—to each enterprise-wide strategic initiative it is involved in. This data proves that a proactive security posture is a direct contributor to the bottom line.

Here are a few strategic examples:

Build Brand Trust

• In an era of constant breaches, customer trust has become a tangible and valuable asset. A strong, transparent security posture is a direct contributor to brand equity and customer loyalty.

• Strategy: Proactive Growth

• KPI: NPS, VES

• Example: According to one PwC survey, 87% of consumers state they would not do business with a company if they had concerns about its security practices. 

Accelerate the Sales Cycle

• In B2B sales, security reviews are often a major hurdle. By creating a public-facing Trust Center with compliance certifications (like SOC 2 and ISO 27001), penetration test summaries, and other security documentation, companies can empower prospects to self-serve.

• Strategy: Trust Center

• KPI: ATC

• Example: The transparency and accessibility of a Trust Center can slash the time spent on security questionnaires by 60-80%.

Unlock New Markets

• Strategic compliance is one of the clearest examples of cybersecurity as a business enabler. Certifications like FedRAMP, HITRUST, or CMMC are not costs; they are the price of admission to lucrative, high-barrier markets. Proactively achieving these certifications allows the business to enter new verticals and win contracts that would otherwise be inaccessible.

• Strategy: Certification

• KPI: TAM, SOM, Win Rate, Renewals

• Example: The primary motivation for acquiring CMMC certification is to gain eligibility for government contracts. Without certification, companies risk losing access to lucrative DoD projects.

Drive Differentiation

• The most advanced form of value creation is to embed security into the core value proposition of the product itself. A Security-by-Design approach, where principles like least privilege and encryption-by-default are built in from the outset, creates a fundamentally more resilient and trustworthy product. This resilience translates into a competitive moat.

• Strategy: Security-by-Design

• KPI: Margin, Win Rate, Renewals, NPS, SAM

• Example: Apple's 2024 deployment of post-quantum cryptography for iMessage established a new benchmark for consumer privacy that pressures competitors to follow suit.

Deepen Customer Relationships and Drive Expansion

• The CISO's role in revenue doesn't end when a deal is closed. Implementing a program of executive security briefings with key customers builds high-level relationships and reinforces the value of your security program. Critically, these reviews also serve as discovery sessions to identify gaps in the customer's current security implementation (e.g., low adoption of SSO), which can be translated into upsell and expansion revenue opportunities.

Modeling and Optimization

A mature security program creates tangible financial benefits by protecting the balance sheet and optimizing operational costs.

• While it is impossible to prove a negative, it is possible to model the financial impact of a breach that was prevented. Using credible industry data, such as the IBM Cost of a Data Breach Report, a CISO can build realistic Loss Event Scenarios and demonstrate the avoided cost that results from specific security controls.

• Strategy: Breach Cost Avoidance Modeling

• Tool: CRQ

• Example: Running a Risk Scenario with CRQ to model loss mitigation via control maturity.

• The relationship between an organization's security posture and its cyber insurance premiums is increasingly direct. Underwriters now require evidence of security controls. By documenting how improvements like implementing a zero-trust architecture directly lead to reduced premiums and deductibles, the CISO can show a quantifiable payback on security spending

• Strategy: Cyber Insurance Premium Optimization

• Tool: CSF, CRQ

• Example: Using your security controls measurements within your CSF or CRQ platform to evidence control maturity for Insurance premium reduction.

Metrics to Value

After establishing how security creates value, the final step is to measure its impact in the language the C-suite and board understand best: Key Performance Indicators (KPIs). These metrics are distinct from ODMs. While ODMs measure protection levels, these Economic-aligned KPIs measure the business impact of that protection.

Economic-aligned KPIs translate the success of a security program into metrics that reflect efficiency, revenue, and cost optimization. They are not security metrics; they are business metrics that are heavily influenced by the security program's performance. 

ODMs = measure Protection Levels

KPIs = measure the Business Impact

Business Performance KPIs

Lifetime Value (LTV)

• Definition: LTV is an estimate of the total net profit a business can expect to earn from a single customer over the entire duration of their relationship.

• Connection: A strong security and privacy posture acts as a direct driver of customer trust, which is a leading indicator of loyalty. As research from firms like PwC consistently show, trust increases loyalty, which in turn increases LTV.

Increased Trust = Increased Loyalty = Increased LTV

Net Promoter Score (NPS)

• Definition: NPS is a widely used metric that measures customer loyalty and satisfaction by asking a single question: "On a scale of 0-10, how likely are you to recommend our company/product to a friend or colleague?".

• Connection: Trust is the foundation of customer loyalty, and security is the foundation of digital trust. A major security incident can instantly turn "Promoters" into "Detractors," devastating an organization's NPS. Conversely, a strong and transparent security posture, like that demonstrated through a Trust Center, or properly managing a crisis, builds and reinforces the confidence that creates loyal promoters. A higher NPS directly correlates with reduced churn and increased expansion revenue.

Increased Trust = Increased NPS

Customer Churn

• Definition: Churn is the rate at which customers stop doing business with a company over a given period.

• Connection: Data breaches are massive drivers of customer churn. The IBM Cost of a Data Breach Report highlights "lost business" as consequence of data breaches. An effective security program directly reduces churn by preventing the incidents that cause customers to lose faith.

Resiliency = Churn Reduction

Customer Acquisition Cost (CAC)

• Definition: CAC is the total cost of sales and marketing efforts required to acquire a new customer.

• Connection: Security can directly lower CAC by reducing friction in the sales process. A Trust Center with up-to-date compliance documentation dramatically shortens the time sales and security teams spend on questionnaires, which directly lowers the cost of acquiring a new customer.

Reduced Repeat Questions = Reduced CAC

Monthly Recurring Revenue (MRR)

• Definition: MRR is a critical KPI for subscription-based businesses, representing the predictable and recurring revenue a company can expect to receive each month. It is the lifeblood of a SaaS company's cash flow and growth projections.

• Connection: The stability of MRR is directly tied to the security and availability of the service. Security-related downtime can lead to SLA penalties, service credits, and contract terminations that directly reduce MRR. Furthermore, a security breach that erodes customer trust is a primary driver of Customer Churn, the number one killer of MRR. By preventing incidents and ensuring service uptime, the security program acts as a direct protector of the company's core revenue stream.

Reduced Incidents = Reduced Churn = Protected MRR

Profit Margin

• Definition: Margin is the difference between revenue and costs.

• Connection: Security protects and improves margins. It prevents the massive, unbudgeted costs of a data breach which can destroy profit margins. Furthermore, investing in security automation ("DevSecOps") can reduce the manual labor required to secure new products, improving the company's Gross Margin.

Secure Configuration Management = Reduced Labor

Measurement Examples

These measurements connect to the core economic engine of the company. Developing and tracking these requires a close partnership with leaders in Sales, Finance, and Product.

Sales Enablement & Velocity

• Sales Cycle Time for Security Reviews

  • Measures the median number of days from when a sales prospect initiates a security review to when it is successfully completed. A lower number indicates less friction in the sales process.

• Security's Impact on Win Rate

  • Tracks the win rate for deals where security is a significant evaluation criterion. An increasing rate shows that security is becoming a competitive advantage.

• Revenue at Risk from Security Blockers

  • The total dollar value of deals that are at risk or have been lost due to the company's inability to meet a prospect's security requirements.

Revenue Generation & Expansion

• Revenue from Security-Enabled Markets

  • Tracks new revenue that is directly attributable to achieving a specific compliance certification (e.g., FedRAMP, HITRUST) that was required for market entry.

• Attach Rate of Premium Security Features

  • Measures the percentage of new deals that include an add-on or higher-tier product bundle focused on advanced security features.

• Customer Churn Attributed to Security

  • Tracks the percentage of customers who churn and cite security concerns (either with your product or a competitor's strength) as a primary reason.

Cost Optimization & Financial Efficiency

• Cyber Insurance Premium Reduction

  • The annual cost savings on insurance premiums that can be directly attributed to improved and documented security controls.

• Cloud Security Cost Avoidance

  • The financial savings realized by preventing costly cloud service misconfigurations that lead to unnecessary spending.

• Security Operations Efficiency

  • The reduction in manual effort (e.g., support tickets, alert triage hours) resulting from investments in security automation and improved controls.

Best Practices for KPIs

• Partner with Stakeholders: These KPIs cannot be developed in a vacuum. The CISO must partner with Sales (for deal velocity), Finance (for revenue/cost), and Product (for attach rates) to ensure the metrics are accurate and credible.

• Tell a Story with Data: KPIs should be presented with context, not just as numbers. For example, "This quarter, we reduced security review time by 40%, which helped Sales close two major deals ahead of forecast."

• Link KPIs back to ODMs: Show the cause-and-effect relationship. For instance, "Because we improved our 'SaaS Security Posture Score' (ODM), we were able to achieve a 15% reduction in our 'Cyber Insurance Premium' (KPI)."

• Focus on Trends Over Time: A single data point is a snapshot; a trend tells a story. Show how these KPIs are improving quarter over quarter.

How to Deploy KPIs

1. Identify Key Business Initiatives: Start by asking, "What are the top 3 priorities for the CEO, CFO, and CRO this year?"

2. Select Aligned KPIs: Choose 2-3 KPIs that directly measure security's contribution to those top-tier business priorities.

3. Partner to Instrument and Baseline: Work with the relevant department (e.g., Sales Ops, Finance) to access the necessary data from their systems of record (e.g., Salesforce, ERP) and establish a baseline measurement.

4. Integrate into Executive Reporting: Add the new KPIs to your quarterly business reviews and board presentations, ensuring they are presented as business metrics that the security program influences.

5. Set Joint Targets: Work with your executive peers to set shared targets for improvement (e.g., "The CISO and CRO will work together to reduce security review time by 25% this year").

Bringing It All Together: A CISO's Measurement Framework

The metrics and agreements discussed in this guide form a complete, cascading framework. Each level of measurement serves a different audience and purpose, allowing the CISO to translate highly technical security outcomes into the language of enterprise value.

• ODM: Outcome-Driven Metrics

  • A direct measure of a security protection level.

  • Answers: "How well are we protected?"

• PLA: Protection Level Agreements

  • A business contract that ties a specific ODM to a specific cost.

  • Answers: "What level of protection are we willing to pay for?"

• KPI: Economic-aligned Key Performance Indicators

  • A measure of the security program's impact on business efficiency, cost, and revenue.

  • Answers: "How is our security program impacting business operations?"

• Units: Core Business Economic Units

  • The company's fundamental financial health metrics.

  • Answers: "How does our security posture influence the fundamental economic drivers of the company (LTV, Churn, CAC, Margin)?"

Reinforcing Statistics and Case Studies

This section provides additional compelling data and real-world examples to reinforce the strategic concepts presented, highlighting the tangible benefits of an economic-aligned cybersecurity approach.

• A 2024 Deloitte survey found that organizations with high cyber maturity are 2.4 times more likely than their low-maturity peers to expect positive business outcomes from their cybersecurity programs, including boosting revenue and ensuring organizational resiliency.

• Microsoft's 2023 Digital Defense Report highlighted that organizations are increasingly making purchasing decisions based on the security posture of their vendors, citing a case where a client selected their cloud services over a competitor due to superior, transparent security.

• In 2020, Zoom faced a significant crisis of trust due to security and privacy concerns. Their response was a public, 90-day security plan that was critical to rebuilding customer trust and enabling their continued explosive growth, turning a potential crisis into a long-term business advantage.

Conclusion: From Risk Manager to Business Strategist

This framework of ODMs and PLAs is more than just a reporting tool; it's a new governance model. It creates a system of shared accountability where business leaders are intrinsically motivated to partner with security because their performance is visibly tied to the resilience of the assets they own. The CISO who masters this approach transcends the role of a technical manager and becomes an indispensable business strategist. They can map security controls directly to the company's Business Model Canvas, ensuring that every dollar spent on security is focused on preserving the specific mechanisms that generate revenue. They can confidently stand before the board, not to defend a budget, but to facilitate a strategic discussion about risk, investment, and value.

The Path Forward

The challenge for today's security leader is not simply to acquire a bigger budget, but to change the conversation entirely. By abandoning the arcane language of technical activity and adopting the business language of outcomes, risk, and value, you can reframe your entire function. 

The tools are here: Outcome-Driven Metrics to measure what truly matters and Protection Level Agreements to forge a true partnership with the business. By using them, you can secure your position not as the company's biggest cost, but as one of its most critical competitive assets.

Last Updated: September 30, 2025

Download version: Google Doc