Security leaders spend most of their political capital making the case for investment. They make it in two directions. Toward the CFO, they argue that threats are real and defenses require funding. Toward the CIO, they argue that security is not a tax on delivery but a requirement for the systems the CIO is responsible for running.
Both arguments fail for the same reason.
Neither one is made in dollars.
The CFO sees technology as a cost category. Budget lines. Vendor contracts. Renewal cycles. Headcount. They have full visibility into what the organization spends on technology. They approve every purchase.
This visibility creates a blind spot. The CFO knows what things cost. They do not know what things are worth. A system that costs two million dollars a year to run may enable forty million in revenue. A system that costs five hundred thousand may enable nothing the organization could not do manually in a week.
When the security leader walks in and says we need to invest more in protecting these systems, the CFO hears a request to increase spending. The security leader means something different. They mean the exposure these systems carry is disproportionate to the protection around them. But without dollar figures that quantify the value at stake, the conversation stays on cost. It never reaches value.
The CFO is not the obstacle. The missing data is.
The CIO sees technology as infrastructure. Uptime. Capacity. Modernization. Digital transformation. Their priorities are availability and delivery. Security, from the CIO's chair, is one of many competing demands on the technology portfolio.
The friction between CIO and security leader is well-documented and usually framed as a culture problem. The CIO wants to move fast. Security wants to move carefully. The standard advice is better communication, more collaboration, shared goals.
That advice misses the point.
The CIO and the security leader are not arguing about culture. They are arguing about priority. Which systems matter most. Where investment should go. What risk is acceptable. These are questions with dollar answers that neither executive can produce because the data does not exist.
When the security leader says this system needs more protection, and the CIO says this system needs more capacity, neither of them can say what the system is worth to the business. They are both right about what they can see. They are both guessing about what they cannot.
Effective security programs identify two things: what areas of the business carry the highest impact if disrupted, and what areas face the highest risk from attackers.
These are separate analyses that must be connected.
An asset can be high-impact and low-risk. Another can be high-risk and low-impact. Investment decisions depend on the combination. But most organizations run these analyses in different departments with different data, different assumptions, and no shared unit of measurement.
The impact analysis lives with business continuity, if it lives anywhere. The risk analysis lives with the security team. Neither is denominated in dollars. Neither connects to the financial picture the CFO uses to make decisions or the infrastructure picture the CIO uses to plan capacity.
Business Impact Intelligence connects the two. Discovery quantifies what everything is worth. Consequence quantifies what happens when something changes. The combination tells the security leader which quadrant they are in for every asset: high-value and high-risk (invest now), high-value and low-risk (monitor), low-value and high-risk (accept or retire), low-value and low-risk (deprioritize).
Without both dimensions in dollar terms, the security leader is guessing. And guessing does not survive a budget conversation with a CFO or a prioritization conversation with a CIO.
The security leader who cannot quantify value will always lose the budget argument to someone who can quantify cost. The CFO has the cost numbers. The CIO has the infrastructure numbers. The security leader has threat intelligence and risk ratings. Threat intelligence does not translate into a budget decision without a dollar figure attached.
The case that works is not about threats. It is about value.
This system processes $38M in annual claims revenue. Our monitoring infrastructure does not cover it. A breach that goes undetected for days instead of hours costs an additional $3M in cascading damage. Expanding our detection capability to cover this system costs $200K a year.
Four sentences. Each one is a different BII output. Discovery identified the asset value. Consequence modeled the detection gap. Modeling priced the investment against the exposure. The CFO can evaluate that. The CIO can prioritize that against their capacity roadmap. The security leader made a financial argument, not a threat briefing.
Why can't cyber risk quantification solve this?
Cyber risk quantification estimates the probability and cost of security incidents. That covers risk. It does not cover value. The security leader needs both to make a case that survives a conversation with a CFO (who thinks in value) and a CIO (who thinks in infrastructure priority). BII connects both dimensions. More on this distinction at valoros.red/bii/bii-vs-bia.
What does the CFO actually need to see from the security leader?
Three things. What the organization depends on. What those dependencies are worth. What happens when they change. These three questions give the CFO a financial picture they can act on. A detailed discussion of these questions is at valoros.red/bii/three-board-questions.
Is this about fixing the CISO-CIO relationship?
Not directly. The relationship friction is a symptom. The cause is that both executives are making decisions about the same assets without a shared, dollar-denominated picture of what those assets are worth. BII produces that shared picture. The relationship improves because the arguments change from opinion to arithmetic.
Where can I read the full BII definition?
The public definition and framework are at valoros.red/bii.