Lesson 3.1

3.1: Why Security Feels Like a Cost Center

8 minutes

Why Security Feels Like a Cost Center

Walk into any CFO’s office with a security deck and watch what happens. Eyes track to the bottom of each slide, looking for the dollar figure. When they find it, they ask one of two questions: “why this much?” or “can we do it for less?” Neither question is hostile. They’re just the questions you ask a cost center.

You didn’t get filed as a cost center because the work is overhead. You got filed that way because the reporting is.

The defensive-reporting problem

Most security status updates read like a defensive after-action review. “We blocked 2.3 million phishing emails this quarter.” “We patched 847 CVEs, including 31 criticals.” “Our MTTR on alerts dropped from 22 minutes to 14.” These are activity metrics dressed as outcomes. They answer the question “what did you do?” and pointedly fail to answer “what did that buy the business?”

A CFO has no way to value a blocked phishing email. The implicit model is “some of those would have become breaches, and breaches cost money, so blocking is good.” That’s a chain of three assumptions, none of which are in the report. The CFO can’t audit it, can’t benchmark it, and can’t tie it to any number on any business plan. So it gets filed as “the security function is running.” Running ≠ creating value. Running = overhead.

The inversion

Security doesn’t just prevent loss. Security enables revenue.

  • SOC 2 Type II is a revenue gate. No enterprise SaaS deal closes without it. Your auditor isn’t a compliance function; they’re a sales enabler.
  • MFA coverage is an insurance gate. Cyber-liability underwriters have been pricing MFA into premiums since 2021. If your fleet is 98% on FIDO2 and your competitor’s is 78% on TOTP, you are not paying the same premium. That delta is a real number on a real P&L.
  • Incident behavior is a retention gate. Customers don’t churn after an incident because you had an incident — they churn because you handled it badly. A well-run incident with clear communication retains customers that a poorly-run incident loses.
  • Patching cadence is a diligence gate. When you get acquired, your patch hygiene will be in the quality-of-earnings report, and it will be priced.

None of these show up in “we blocked 2.3 million phishing emails.” All of them show up on revenue, premiums, retention, and valuation lines that a CFO reads daily.

The test

Here’s the test: pick any security investment you made this quarter. Now answer — without hedging — one of these three questions.

  1. What revenue did this enable or protect? (Name a deal, a renewal, a customer segment.)
  2. What insurance or regulatory cost did this change? (Name a premium, a penalty, a reserve.)
  3. What acquisition or diligence outcome did this improve? (Name a deal, a covenant, a multiple.)

If you can’t answer one of the three for a given investment, the investment may still be worth doing — but your reporting on it belongs in the operational weeds, not on a finance slide. And if you can’t answer one of the three for anything you did this quarter, you’re not reporting wrong on the edges. You’re reporting wrong at the frame.

Why this matters before Module 3 continues

The next three lessons walk through specific audiences, specific ask formats, and specific incident-reporting templates. None of them work if the underlying reframe isn’t in place. You don’t translate security into business language by adding a “business impact” slide at the end of the technical deck. You translate by inverting — starting from the business outcome and working back to the security work that enabled it.

That’s the sequence. That’s why the cost-center perception is a reporting problem, not a function problem. And that’s what Module 3 fixes.