Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

How to Present Cybersecurity ROI to Your Board—Without Speaking IT

How to Present Cybersecurity ROI to Your Board—Without Speaking IT

Bridging the gap between your CISO and your board, and why that’s now a CFO’s job.

Picture a scene that plays out regularly in healthcare boardrooms: the CISO presents a forty-slide deck filled with NIST framework tiers, threat actor taxonomies, and penetration testing methodology. Halfway through, the board chair, a seasoned hospital administrator with thirty years in healthcare operations, quietly sets down his pen.

He wasn’t disengaged. He was lost. It’s one of the most common failure points in healthcare governance, and it’s happening in boardrooms across the industry.

The hard truth is that cybersecurity investment decisions now live at the intersection of clinical operations, regulatory compliance, and financial risk, which means they live squarely in our lane as CFOs. We can no longer hand this topic entirely to IT and hope the board connects the dots. We have to do the translation.

The translation problem

CISOs are trained to think in technical risk. They understand threat vectors, vulnerability windows, and attack surface reduction. These are real and meaningful concepts, but they are not the language of a healthcare board, which thinks in patient outcomes, regulatory exposure, operational continuity, and financial sustainability.

When your CISO says, “We need to invest in endpoint detection and response,” your board hears a line item. When you say, “Our current posture creates a 30-to-60-day operational shutdown risk in a ransomware scenario, at an estimated cost of $4–8 million in revenue disruption and recovery,” your board hears a decision.

The facts are the same. The framing is everything.

A framework I use: Before any board cybersecurity presentation, I ask our CISO to give me three things: (1) the top two or three risks we are currently exposed to, (2) what would happen operationally if each one materialized, and (3) what the proposed investment specifically mitigates. I translate those answers into financial and operational language before they ever reach the board deck.

Build the case around what boards already care about

Every healthcare board I’ve worked with has three core concerns: patient safety, regulatory standing, and financial viability. Effective cybersecurity investment supports all three, but you have to make those connections explicit.

On patient safety: cyber incidents aren’t just IT problems anymore. Research consistently links hospital downtime events to measurable increases in patient mortality rates and adverse outcomes. Frame security investment as patient safety infrastructure, not just IT infrastructure.

On regulatory standing: HIPAA enforcement is tightening, and HHS has signaled more aggressive action on inadequate security controls. A breach that triggers a corrective action plan doesn’t just come with fines but with years of OCR oversight that consumes staff time and management bandwidth at exactly the wrong moments.

On financial viability: this is where we have the most to add. Boards understand insurance premiums. They understand liability reserves. They understand capital write-downs. Downtime loss, recovery costs, and reputational damage to patient volumes are all quantifiable, and we should be quantifying them.

Practical steps for your next board presentation

Partner with your CISO before the meeting, not during it. Set expectations that technical detail belongs in a written appendix, not on the main slides. The board presentation should answer three questions: What is our current risk exposure? What are we proposing to do about it? What does it cost us if we don’t?

Anchor to benchmarks and peer data. Mid-size and rural healthcare systems are disproportionately targeted — smaller security teams, older infrastructure, and high-value patient data create an attractive target profile. When boards understand that your peer organizations are experiencing real incidents with real financial consequences, the conversation shifts from “should we spend this?” to “can we afford not to?”

Separate the ask from the education. Boards don’t need to understand how a zero-day exploit works. They need to understand the business risk it creates and the investment required to reduce it. Keep those two tracks clean.

Your role has changed

Five years ago, a CFO could reasonably defer to the CIO or CISO on cybersecurity investment recommendations. The financial stakes weren’t as visible, and board expectations were different. That’s no longer true. Cyber risk is now a material financial risk, and material financial risks are our domain.

The most effective thing you can do for your organization’s security posture isn’t to become a technical expert. It’s to become the person in the room who can translate between your technical team and your governance leadership, and who ensures that investment decisions are made with clear eyes on the financial consequences of inaction.

That’s now our job as a CFO.


Joe Badziong
Chief Financial Officer, CloudWave

 

CloudWave partners with rural and mid-size healthcare systems to deliver cloud and cybersecurity solutions built for the operational realities you face every day. Contact us today to learn more.

Disclosure: Views expressed reflect the author’s professional experience and perspective.