MDR · 7 MIN READ · BEN BAKER · FEB 25, 2026 · TAGS: leadership & management / Webinar
This is the second in a multi-part series exploring key insights from our recent webinar A CISO’s guide to speaking CFO. The discussion, featuring security and finance leaders from Expel and SMBC, unpacked findings from our research surveying 300 CISOs and CFOs about the security-finance relationship.
TL;DR
- Attackers follow the path of least resistance—exploiting basic security gaps far more often than deploying sophisticated techniques—so your best ROI comes from getting the fundamentals right first.
- Data from Expel’s 2026 Annual Threat Report shows identity attacks made up 68.6% of incidents, and over half were stopped by basic controls like MFA and conditional access policies—proof that boring security works.
- To win CFO buy-in, frame fundamental security investments in terms of business enablement, measurable risk reduction, and the cost of not acting—not just threat prevention.
When was the last time you heard someone in security get genuinely excited about patch management?
Probably never. Because patching vulnerabilities, managing identities, and maintaining proper access controls aren’t sexy. They don’t make headlines. They won’t land you on the conference circuit talking about AI-powered quantum threats from the dark web.
But here’s what they will do: stop the vast majority of attacks that actually work.
“Good security is boring,” said Greg Notch, Chief Security Officer at Expel, during our recent webinar on the CISO-CFO relationship. “If you spend most of your resources solving the basics, you know, get your basic controls in place, get a good defense laid down, make sure your security operations are on point—then you can adapt to the things that are close to your business and the novel threats.”
This isn’t just philosophy. It’s economics. And when you’re trying to demonstrate cybersecurity ROI to finance leaders who want to see measurable returns, “boring” security is actually your strongest argument.
Why attackers choose boring, too
Attackers follow the same economic principles you do. They’re optimizing for efficiency.
“Attackers have unit economics too, right?” Notch explained. “They’re going to choose the cheapest and easiest path to achieve their objectives. Why burn a zero-day when you can just compromise someone’s identity?”
Even nation-state actors with virtually unlimited resources prefer the simple approach. They’ll use the most basic technique that gets them what they need because it helps them blend in and costs less to execute.
Pierre Noel, Field CISO EMEA at Expel, shared a perfect example from earlier in his career. He was consulting with a bank in Thailand around 2000, helping them evaluate their cybersecurity posture.
“We ended up having a heavy discussion on what kind of encryption we should use,” Noel recalled. “Then it was lunchtime. I left the office and came close to an ATM, and I found out that on top of the ATM was the modem used to communicate.”
He took a picture. “I said, ‘You really think that we should be talking about which encryption we should use when we don’t even cover the basics?'”
The lesson stuck with him: “We should not look at the most complicated things. People will go for the easier one.”
The fundamentals that actually deliver ROI
When finance leaders ask about cybersecurity ROI, they want to know: What are we getting for our investment? How does this reduce our risk?
The answer lies in understanding what actually stops attacks in production environments.
Our 2026 Annual Threat Report analyzed incidents across hundreds of customer environments. Here’s what we found:
Identity attacks dominated at 68.6% of incidents. But here’s the important part: Over half of those attacks (52.3%) were immediately blocked by existing security controls like conditional access policies and multi-factor authentication.
The difference between the organizations where attacks succeeded and those where they failed? Configuration. Not sophisticated AI-powered detection. Not bleeding-edge threat intelligence. Basic security controls, properly implemented.
Endpoint and cloud threats looked similar. None of the attack trends are novel. Attackers are “improvising on what already works,” as our report describes it—more “jazz standards” than groundbreaking innovation.
The pattern is clear: Attackers overwhelmingly exploit known gaps in basic security controls. Not because sophisticated attacks don’t exist, but because they rarely need them.
What “boring” security looks like in practice
During the webinar, Patrick Brodie, Executive Director and Head of Information Security Operations at Sumitomo Mitsui Banking Corporation, offered practical advice that won’t make anyone’s conference talk shortlist:
“You don’t want to be investing in post-quantum encryption programs when you’re using TLS 1.0,” he said. “You have to have the priorities in order.”
Here’s what prioritizing the fundamentals actually means:
Identity and access management
- Conditional access policies that restrict login locations
- Requiring authentication from company-managed devices
- Phishing-resistant MFA (following FIDO2 standards when possible)
- Proper onboarding and offboarding processes
Vulnerability management
- Timely patching (especially for critical vulnerabilities)
- Regular scanning and remediation workflows
- Patch compliance tracking
Endpoint security
- Up-to-date endpoint detection and response (EDR)
- Application whitelisting where appropriate
- Blocking unauthorized remote access tools
Cloud security hygiene
- Enforcing IMDSv2 for AWS instances
- Secret scanning in CI/CD pipelines
- Least-privilege IAM policies
- Regular access reviews
Third-party risk management
- Vendor security assessments
- Supply chain monitoring
- Fourth-party risk visibility
None of these initiatives will win awards. But every single one directly reduces your attack surface in ways that measurably decrease risk.
How to prove ROI on boring security
Here’s where the “boring” approach actually helps you demonstrate cybersecurity ROI to finance.
Remember Notch’s formula from our previous post: “This is how much money I spend to deflect this amount of risk off the balance sheet.”
Fundamental security controls are easier to quantify than exotic threat detection because:
- The threats they prevent are well-documented. You can point to industry data on the cost of identity compromises, unpatched vulnerabilities, or misconfigured cloud resources.
- The baseline risk is measurable. Before implementing the control, you can assess your exposure. After implementation, you can measure the reduction.
- The coverage is clear. MFA protects X number of accounts. Patch management addresses Y number of vulnerabilities. The scope is definable.
- The alternatives are expensive. What does it cost if you don’t patch? If you don’t implement proper access controls? Finance leaders understand these trade-offs.
According to SentinelOne, only 23% of companies report that their cybersecurity metrics are well understood by top executives. One reason? Security teams focus on sophisticated metrics for sophisticated threats rather than clearly articulating the ROI of fundamental controls.
When you can say, “We invested $X in identity and access management, and it blocked 52% of attempted account compromises this year,” finance understands that value proposition immediately.
The exotic threat trap
So why do organizations still chase the exciting stuff?
Part of it is human nature. Sophisticated threats make better stories than “we patched our servers on time.” They’re more interesting to present to the board, more fun to discuss with peers, and easier to get budget for because they sound impressive.
But there’s a cost to chasing headlines. While you’re building defenses against theoretical nation-state attacks, attackers are exploiting the basics you overlooked.
Noel put it bluntly: “Most attackers will just take a truck and run into the ATM.”
There’s a well-known XKCD comic that illustrates this perfectly. It shows someone explaining elaborate encryption schemes, and another person responds: “How about I just hit him with this $5 wrench until he tells me the password?”
Attackers think like this. They’re not impressed by your advanced malware analysis capabilities if your users are still running outdated software with known exploits.
The exotic threat trap costs you in two ways:
- Budget that could address real risks gets allocated to solutions that address theoretical ones
- Opportunity cost: While you’re hunting for sophisticated nation-state actors, you’re missing the basics that would stop the commodity malware that’s actually targeting you
Making the boring case to finance
Here’s how to frame fundamental security investments in terms finance actually cares about:
Start with business enablement, not threat prevention
Don’t say: “We need better identity management to prevent account takeovers.”
Say: “Proper identity and access management lets us safely enable remote work, support third-party integrations, and accelerate time-to-market for new applications—while reducing our risk of account compromise by approximately X%.”
Tie investments to specific business initiatives
Brodie emphasized this during the webinar: “If there’s a new customer-facing application, and you’ve got something in your IAM program, you want to be able to tie it to that business initiative.”
Security that enables business outcomes is easier to fund than security that just prevents bad things.
Use the insurance analogy
Finance leaders understand insurance policies: premiums, coverage, deductibles. Frame fundamental security controls the same way.
As we discussed in our previous post, security programs function much like insurance policies—and they should be discussed in similar terms.
What’s the premium (investment required)? What’s the coverage (what risks does this address)? What’s the deductible (residual risk we’re accepting)?
Benchmark against actual attack patterns
Point to real data—industry reports, your own incident history, or threat intelligence that shows what attacks are actually succeeding.
Our Annual Threat Report exists specifically to give security leaders this ammunition. When you can show finance that 68.6% of incidents are identity-based, and over half are stopped by basic controls, you’re making a data-driven case for investment.
Show the cost of not investing
What’s your organization’s exposure if you don’t implement proper controls?
Frame it in terms finance understands: “We can invest $500K in properly implemented MFA and conditional access, or we’re accepting the risk of a potential $6M+ breach from compromised credentials.”
The 80/20 rule for security budgets
During the webinar, Notch suggested that organizations should reach a baseline security maturity—somewhere between a “high 3 and a low 4” on typical maturity models—before investing heavily in advanced capabilities.
Think of it as the 80/20 rule for security: 80% of your protection should come from 20% of the possible controls—specifically, the fundamental ones.
Once you’ve got the basics covered:
- Identity and access properly managed
- Vulnerabilities being patched consistently
- Endpoints protected and monitored
- Cloud infrastructure secured with proper configurations
- Third-party risks assessed and managed
Then—and only then—should you start investing in the exotic stuff. And even then, those investments should be directly tied to your specific threat model and business context, not to whatever threat is trending on social media.
Why boring security is actually the exciting story
Here’s the irony: When you focus on fundamental security controls, you actually enable the organization to do more exciting things.
Proper identity management means you can safely support remote work and third-party integrations. Strong patch management means you can confidently deploy new applications. Good cloud security hygiene means developers can move faster without creating risk.
“Good security is boring” doesn’t mean security work is boring. It means effective security shouldn’t be generating constant drama, heroic incident response efforts, or emergency all-hands meetings.
If your security program is boring, it probably means:
- Controls are working as designed
- Incidents are caught early (before they become emergencies)
- The business can operate without constant security firefighting
- Your team can focus on enablement rather than remediation
That’s exactly what finance wants to hear. It’s operational excellence. It’s risk management. It’s a mature function delivering measurable value.
And when you can demonstrate that your “boring” security investments consistently deflect risk off the balance sheet—using real metrics, tied to business outcomes—you’re speaking exactly the language CFOs understand.
Your maturity score might be climbing. Your detection capabilities might be industry-leading. But if you can’t show how your fundamental security controls are enabling the business while reducing risk, you’re missing the ROI story that actually gets budgets approved.
Want to dive deeper into how to communicate security value to finance? Watch the full webinar or download our complete research report. And stay tuned for our next post in the series.
