Back to New Tab

To Justify Cybersecurity Spend Before A Crisis, Leaders Learn The Language Of Invisible ROI

New Tab News Team
April 21, 2026
Enterprise Security

Greg McCord, CISO at Lightcast, explains how cybersecurity leaders should learn the language of ROI and describes how AI and a positive mindset can help translate value to the board.

Credit: Hack Capital (edited)

I can explain how security supports the bottom line through the protections we put in place, but that value rarely lands until there’s an incident that forces the business to recognize it.

There's a well-known cybersecurity paradigm: when nothing breaks, there is no headline and no story for the board. This is a common tension that arises when translating security issues to decision-makers: while security metrics describe threats, directors focus on value, and expressing ROI is more difficult when there isn't an immediate crisis. To survive fast-paced tech cycles and tighter budgets, some security leaders are learning to act as business partners, framing their work in terms of revenue impact rather than raw technical risk.

Greg McCord, CISO at Lightcast, has spent the past few years working through the transition. A U.S. Air Force combat veteran and Founder of McCord Keystone Advisory, he has led real-world breach responses and helped his organizations achieve major certifications, including ISO 27001 and TX-RAMP. After reducing severe vulnerabilities across sprawling tech stacks from 16 percent to below one percent, he found that conventional board reporting and AI conversations often miss what directors care about most: how security influences revenue, efficiency, and resilience.

To prove the business value of security, McCord focuses on where security artifacts intersect with buyers, like trust pages, questionnaires, and technical due diligence, and then measures what happens next. This is a crucial step in promoting the actual value of cybersecurity beyond platitudes or crisis control. What McCord does is concretely tie security assets to marketing and sales pipelines so that users can find their way to the organization's product.

  • The invisible invoice: Rather than staying stuck in the invisible-ROI trap, McCord relies on cybersecurity leadership and business influence grounded in financial outcomes. "I can explain how security supports the bottom line through the protections we put in place, but that value rarely lands until there’s an incident that forces the business to recognize it. That's when you have to file a claim for cyber insurance, or when you have to pay for that encryption key from a ransomware threat actor."

  • Fluency in finance: He realizes that technical metrics like dwell time rarely make it to the boardroom. To bridge the gap, he looks for ways to connect his program directly to the sales process and overall business health. "You really want to understand the language that the board speaks. They don't speak IT or cybersecurity. What they speak is the language of revenue."

  • Pipeline over panic: Beyond attribution, McCord sees an opportunity for security programs to actively generate a pipeline. "If you can link your trust page or any site you use to generate leads, you have a way to bring revenue to your team. Now somebody's looking at your website, and that goes into your CRM platform, and now a sales associate can reach out."

As AI reshapes cyber risk for boards, he notes that many security leaders are finding they can no longer simply default to "no." Instead, they are expected to show how AI can be used safely to support the company’s goals. Before each session, he reviews developments in his industry and the themes likely to be on directors’ minds. And, more often than not, that means artificial intelligence.

Part of this push, for McCord, involves reminding the board that AI capabilities are already built into many enterprise products. Rather than fighting that reality, he focuses on defining clear limits and maintaining a productive attitude around potential. For example, he places a premium on vendors like Claude and Claude Code with verifiable security practices articulated in their Trust Center.

At the same time, it's crucial that experts don't become "naysayers." Rather than just pushing back against AI, it's up to professionals like McCord to leverage and utilize technology. This doesn't mean they don't have a critical eye; it simply means they understand the business cases, how they tie into organizational revenue, and support an overall holistic approach to solving infrastructure challenges. Accordingly, McCord participates in AI UC, a consortium focused on cataloging AI use cases and component interactions to create a standard for the creation and deployment of AI agents. That work aligns with emerging thinking on the hidden costs of AI-driven security operations and what a realistic AI SOC architecture might require.

In McCord’s experience, directors evaluate AI primarily as a business driver rather than a technology experiment. That is where his revenue-focused communication style and his approach to governing AI before it governs you converge. He says that boards want to know what tasks are being automated and how costs can be cut, and it's up to security leaders to understand how to translate features, use cases, risk, and ROI as a single package.

  • Vetting the vaporware: At the recent RSA Conference, McCord saw countless vendors bolt "AI agents" onto existing products without changing their underlying engineering. "I saw countless vendors trying to address the same thing. The problems never really changed. They just threw AI agents on top of it. Vendors claimed they could provide security around AI agents. But when I asked them to actually define what an AI agent is, most of the folks didn't know."

  • Progress over pessimism: Over time, McCord has moved toward a more progress-focused narrative that reflects a broader evolution of the CISO role, from a purely risk-focused voice to a partner in resilience. "They still want to know the basic things. Are we safe? Are we secure? The most generic, broad question you could possibly get. Every time I want to say no, I've said no quite a few times. But now I say, we're doing better."

For McCord, that optimism is grounded in experience. From starting with little and building a career across the military, private sector, and academia to helping organizations tie security directly to revenue and navigate AI safely, his focus is on ensuring security leaders have the language, data, and guardrails to participate in the future. "We are at a cybersecurity precipice that we don't quite fully understand, mainly driven by AI," McCord says. "So we're in a really interesting time. And I just encourage everyone to be positive and upbeat."

Related content

The Promise of AI Comes from Governing Systems that Don't Sit Still

Syeda Iram Fatima Jafry, Senior Manager of Data Risk and Privacy at PwC, discusses the shifting target of AI governance and recommends that leaders govern outputs as much as inputs, with a focus on ongoing change.

ASU’s CISO Pushes AI Data Governance Upstream To Procurement

Lester Godsey, CISO at Arizona State University, explains why AI vendor contracts have become the frontline data privacy battle in higher education, and how ASU is winning it.

Cyber Resilience Is About Planning, Practice, and Patience, not Urgency

Aurobindo Sundaram, CISO with RELX, argues that the pressure for answers during crises hinders recovery, and the way forward is with clear templates, plans, and patience.

You might also like

See all →
Powered by Island.
ISLAND, All rights reserved ©