While many security leaders struggle to justify their budgets with technical jargon, successful CISOs are shifting their focus to demonstrate clear financial returns on investment.
Rob Labbé, CEO and CISO-in-Residence for the Mining and Metals ISAC, explains that security chiefs lose funding to operational colleagues when they fail to translate technical risk into business value.
By framing technical metrics as financial wins and prioritizing operational resilience, security leaders can secure the budgets necessary to protect the business.
Cybersecurity budgets are shrinking, even as the risk of digital threats rises. Rather than a paradox, however, the trend is a rational market response grounded in simple reasoning. Instead of a solid business case, security leaders tend to show up with complex technical jargon. But when faced with a choice, capital typically flows to value. Now, many CISOs are losing their budgets to colleagues who can communicate a clear ROI.
For an expert's perspective, we spoke with Rob Labbé, the CEO and CISO-in-Residence for the Mining and Metals ISAC (MM-ISAC). With a career spanning heavy industry as Director of Information Security at Teck Resources and big tech, Labbé's perspective is informed by deep expertise in essential industries. After spending a decade at Microsoft, he helped grow the MM-ISAC from just five members to a global coalition of 18 companies. Today, Labbé's diagnosis is straightforward: most CISOs struggle to communicate the business value of their cybersecurity strategy.
But the problem isn't one of ownership, Labbé says. Instead, the real change is in the fundamental identity of modern companies. As technology moved from a peripheral function to the operational core, cyber risk became a material threat, requiring significantly more attention.
"Most mining companies today are technology companies that happen to dig holes in the ground. Banks are technology companies that happen to have some money in a vault somewhere," Labbé says. "So much of the world now consists of technology companies that happen to do mining, or banking, or pharmaceutical manufacturing. Because of that, the risk is different. Now, it's material."
Digital indifference: Not so long ago, that wasn't the case, Labbé explains. "Ten years ago, a chief operating officer told me that, even if all the computers were turned off, it would only cost about 10% of production. And that was an amount he didn't really care about for short periods. That level of loss was not a concern for the board. It simply didn't matter."
The problem now is that too many CISOs are still talking like technicians, showing up to the board with "folklore and fairytale and scary colors," Labbé explains. "There's no connection between a NIST score and risk. There's no connection between your mean time to resolve and risk. There's no connection between your phishing click rates and risk. I mean, no other part of the business shows up to the board like that."
Boardroom radar: Since executives are conditioned to reject proposals that don't demonstrate value, the failure to provide a clear business case has direct financial repercussions. "You didn't get to be a board member or C-level executive at a major company because you've got bad intuition," Labbé says. "That's why your budget's getting cut."
Nowhere is this communication breakdown more apparent than in the boardroom budget battle. Describing a showdown he’s witnessed countless times, Labbé sets the scene.
Concrete returns: First, a General Manager makes a pitch: "I need $15,000,000 for three new haul trucks. I'm going to move x amount more rock and process y amount more gold. I'll pay you back for those haul trucks in six months, and then we're in the money for the next ten years."
Lost in translation: Then, the CISO follows with what sounds to the board like, "Red, NIST, 3.2, Charlie Brown teacher notes. Can I have $5,000,000?" When the board asks for his advice, Labbé's response is simple: "Call the haul truck guy back and see if he can use an extra $5,000,000."
The inability to translate these metrics into a compelling business case is the primary failure, Labbé clarifies. When framed with a clear return on investment, however, technical goals can become persuasive cases. "An ask to spend a million dollars to shave two hours off my mean time to detect is a winning pitch when the result is $10,000,000 less negative impact," he notes. "That's a 10-to-one win. Peace out. Go do it."
Instead of focusing on preventative controls—a point of diminishing returns—the real key to managing modern risk is resilience. "The problem is not that organizations underinvest in security controls," Labbé says. "They often have all the toys and the bells and whistles. So what is their problem? Resilience."
Digging for trouble: When an incident occurs, they usually don't have business continuity plans in place. "It isn't a failure of controls. It's a resilience failure," Labbé says. "The number one cause of system outages at mine sites isn't the hackers. It's a backhoe that takes out a buried fiber line that somebody forgot to mark on the map."
For Labbé, adopting this mindset hinges on a clear understanding of corporate governance. The board's role is "eyes in, fingers out," he explains. They define risk tolerance and expect the entire management team to solve the problem together. Ultimately, if that team fails, accountability rests with the CEO. "If risk goes outside of risk tolerance, the CEO goes away."
Leadership ledger: At the center of Labbé’s mantra is a simple view: C-level executives must function as risk managers for their domain, not the top technical practitioners. "You don't become the CFO because you're the best accountant and can do a balance sheet faster than anybody. That's not what he's paid for. He's paid to understand, communicate, and manage financial risk to the company."
Hard to impress: A CISO who still has time to manage a firewall isn't doing their job, according to Labbé. "Too many CISOs are still proud that they can go in and manage a firewall. To borrow a line from Shania Twain, 'that kind of technical skill doesn't impress me much' at the C-suite level."
The main takeaway? Not everyone is suited for the CISO role—and that’s okay. "A lot of CSOs would be way happier as directors of security, so they could keep their fingers in it and be technical," Labbé concludes. "And that's not a failing." It's an incredibly unique role, and many CISOs may have simply been promoted into the wrong one.
