Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > IT security is not a cost, but a business investment

IT security is not a cost, but a business investment

Published by Gbaf News

Posted on December 5, 2019

4 min read

Last updated: January 21, 2026

Business meeting discussing IT security investments in finance - Global Banking & Finance Review — This image depicts a business meeting focused on discussing the importance of IT security as a vital investment rather than a cost, reflecting insights from the article on cybersecurity in finance.

By Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic

Justifying investments in new or additional cyber security initiatives to the board, can be a particular challenge for IT security professionals. Part of the problem is that the C-suite typically views IT security as a cost centre rather than an asset that can add value to business processes. Unfortunately, this means that when the time comes to review budgets, IT security is one of the first departments to be at the sharp end. But times are changing. Data breaches, like those at BA and Marriott International, both of which resulted in multi-million-pound fines, have ushered in a new era where investment into data security has direct repercussions for the boardroom, and the bottom line of the business.

To ensure IT security is given the necessary funding to protect the business, CISOs must work closely with CFOs to set smart business metrics that clearly demonstrate securities strategic value.

The strategic imperative

Joseph Carson

Joseph Carson

Thycotic research shows that CISOs struggle to secure enough funding and support from their boards to achieve their cyber security goals. According to the Cyber Security Team’s Guide to Success, one third (34 percent) say that they don’t get enough funding to implement additional security solutions. This could be down to the fact that a quarter (26 percent) report that their boards are not prioritising IT security as strategically important.

In such cases, it is not surprising that when reviewing budgets, IT security comes to the top of the list. Why would you want to prioritise investment in something if you don’t view it as of strategic importance? However, this would be a mistake. The perception of IT security purely as a cost centre will ultimately lead decision makers to think about how corners could be cut, and costs could be reduced. Following such an approach opens businesses up to security risks that could cost them significantly more in the long run. For instance, if a firm falls foul of the GDPR, it could end up having to pay a fine of up to the greater of four percent of its global turnover or €20 million.

Think people and business first

Clearly, CFOs aren’t cyber security experts, nor should they be expected to understand the minutiae of security initiatives. However, there needs to be better communication between the CFO and CISO in order to clearly demonstrate the business value of IT security and to make the necessary budgetary commitments. To this end CISOs need to be encouraged to take a “people & business first” approach, where they consider how any security initiatives can help their firm and its employees to more effectively accomplish tasks and goals. By thinking about non-security focused objectives, CISOs will automatically start thinking about issues in a business-centric way that will make their work easier for others outside the IT security team to understand and relate to.

This starts with talking about the right metrics. CISOs need to use metrics that clearly demonstrate to the board the business impact that they have made. This means re-thinking quantitative metrics that have little or no context or which are weighed down in jargon-filled parlance. For instance, reporting that so many thousands of vulnerabilities have been patched to show how busy the IT security team has been might seem impressive, but what does that actually mean for the business? CISOs need to paint a picture about how their activity is not only protecting the business, but also helping it to operate more effectively. Metrics that CISOs should use are those that show how security is protecting revenue, saving employees time or improving productivity. This is highlighted in the Thycotic research where 44 percent of respondents said that using data to demonstrate the wider business impact makes the biggest difference in how a security budget is allocated. It was also said to be the most important factor.

However, to be able to do this CISOs need to talk to their CFOs to find out exactly what the board needs in terms of efficiency savings, business goals and so on. They also need to have a conversation about any other areas of the business that could become more efficient with improved cyber defences, as well as finding the evidence for how much money has been saved thanks to IT security initiatives.

“It is time for security teams to spend more time listening to employees and their business goals” – Joseph Carson