When I first entered the world of cybersecurity, the role of chief security officer (CSO) was often relegated to the shadows with a primary focus on policies, compliance, and technical defenses. Fast forward to today, and the CSO’s role has transformed dramatically.   

According to Splunk’s CISO Report, 86% of CSOs and CISOs say that the role has changed so much since they started that it’s almost a different job entirely. That’s because today’s CSO isn’t just tasked with protecting their company’s data – they’re enabling business outcomes, influencing customer decisions, and even conferring a competitive advantage when it comes to generating sales.  

My own professional journey reflects this shift. From my early days at Deloitte, where cybersecurity was a nascent practice, to leading security at global companies like Roche and now Commvault, I’ve seen firsthand how the CSO’s responsibilities have expanded to become strategic business leaders, integral to driving organizational growth and customer trust.  

Back then, CSOs were often perceived as deeply technical experts focused on network infrastructure and niche threats. It was rare to be invited into the room for business planning, product strategy, or customer conversations. Security was often considered a necessary cost rather than a potential driver of growth, and many CSOs struggled to gain visibility beyond IT or risk committees.  

These days, I’m fortunate to sit on the executive leadership team of a public company where security is considered at every level, from defining the product roadmap and go-to-market timelines to setting revenue targets. Yet being part of executive discussions is just the first step. To maintain that influence, CSOs must show how security initiatives contribute to growth and profitability.  

Building the Security Business Case  

As companies navigate tighter budgets and macroeconomic uncertainty, today’s CSOs must rethink how they communicate and align security across the business. I’ve found that one of the most powerful ways to demonstrate security’s value is by tying it directly to a metric that everyone in the business understands: Revenue.   

A few years ago, I relocated to France and quickly saw a problem: Our global security team only spoke English, and yet France was our second-largest market. Security questionnaires took weeks to process, delaying deals and frustrating sales leaders. So, instead of treating it as an unavoidable bottleneck, I built a business case for hiring a French-speaking security analyst. I showed leadership how one local hire would accelerate the sales cycle with French clients and pay for itself several times over in additional revenue.   

Was this a security decision? On the contrary, it was framed as a revenue accelerator and highlights how CSOs today must think beyond the confines of risk mitigation and overcome information security’s reputation as the ‘Department of No’. Too often, CSOs fall into the trap of explaining technical vulnerabilities in exhaustive detail. But department leaders have neither the time nor domain expertise to be fluent in the minutiae of CVEs and zero-day exploits. Instead, we must translate security risks into a language that other business executives understand and can connect to business outcomes.   

For instance, at a previous company, I realized that technical security-focused metrics for application posture, infrastructure, and network security were lost on business stakeholders unfamiliar with security frameworks. To help bridge this communication gap, I replaced these metrics with simple A-F letter grades for each software product we sold. This approach resonated with non-technical leaders, creating healthy competition among product teams that helped us better benchmark and improve their scores.  

So, what practical steps should a CSO take to effectively translate their technical expertise into strategic business value?  

Four Practices for Business-Aligned Security Leadership  

Whether you’re already a security leader or aspire to be one, here are four strategies I’ve found essential to becoming a true partner to the business:  

1. Learn the Language of Your Business: You can’t advocate effectively if you don’t understand how your business earns revenue. I regularly read earnings reports, listen to investor calls, and understand quota expectations. I teach my team to ask: “If I’m requesting $300K, how does that compare to the revenue of a salesperson?” If your ‘ask’ costs the company that much in opportunity, it better be worth it. This financial literacy also helps frame security priorities in terms executives care about: return on investment, cost avoidance, and revenue growth. 

2. Benchmark Everything: Security doesn’t exist in a vacuum. Use third-party ratings (i.e., security scorecards) to compare your program against competitors. This not only validates your strategy but also identifies gaps. Use external security ratings, staffing ratios, and spend comparisons to gauge where you stand – not just against your own baseline, but against the market. I’ve been using benchmarking tools since they were new, and they continue to be an essential part of communicating whether we’re ahead of the curve or falling behind.  

3. Track Customer Interactions: It’s important to measure customer security engagements just like you would any other business function. How many times did we engage? What were the most common concerns? Did we turn insights into action? It’s not enough to just defend – you must also demonstrate how security adds trust and closes deals. By tracking these engagements, you can proactively identify trends, address recurring pain points, and prove security’s impact on customer satisfaction and retention. 

4. Learn from Peers, Not Just Conferences: The threat landscape evolves daily, and so must CSOs. Organize quarterly “security exchange” days with non-competing organizations. Each side comes with three things they do well, and three they want to improve. The result? Candid, collaborative learning that sparks innovation and prevents complacency. These peer-to-peer sessions often yield creative solutions, reveal blind spots, and help CSOs benchmark practices in real time – insights you won’t find in a keynote or vendor pitch. 

Today’s security leaders must be adept communicators, high-level strategists, and above all, revenue enablers. By aligning security with business value, speaking the language of leadership, and building collaborative relationships across the organization, CSOs can secure not just their organization but also their seat at the table.