I remember sitting across from a COO who asked the question that haunts every CISO: "What exactly did we get for our $185M cybersecurity investment this year?" The implicit challenge was clear – no breach had occurred, so perhaps we were overfunded, or worse, hyping the risk to justify our existence.

This conversation encapsulates cybersecurity's fundamental framing problem. Unlike credit risk teams who evolved from "preventing bad loans" to "optimizing risk-return profiles for maximum profitable lending," cybersecurity remains trapped in a defensive mindset. We're stuck selling "cost avoidance" in a world where CFOs demand business value.

Economic theory suggests rational decision-makers calculate opportunity costs, but recent behavioural research reveals a more complex reality. In a landmark study "Opportunity Cost Neglect," Frederick et al. demonstrated across six experiments that consumers systematically fail to consider alternative uses of money until explicitly prompted, and even very subtle prompts are enough.1 Even when forced to deliberate extensively about purchase decisions, participants rarely spontaneously generated thoughts about outside goods they could buy instead until they were given that prompt. A prompt could be the mere mention of cost and when that goes first, a “frame” is set that encapsulates everything that is discussed from that point onwards. Professor Fredrick says:

“A widely accepted precept in research on decision making is people’s passive acceptance of the “frame,” or characterization of the problem, they’re provided. This confers power on those who offer a frame. Decisions about whether some expenditure is “worth it” hinge on what the purchase is seen as displacing. Take the extra time to define that, and you can change the way your customers view your value proposition.”2

This has profound implications for cybersecurity positioning. We've allowed ourselves to be framed as either:

• A "keeping-the-CEO-out-of-jail" expense for high-stakes industries

• Or a compliance checkbox for everyone else

But this framing is fundamentally wrong – and it's leaving massive competitive advantages on the table.

All other things aren't equal

The assumption that cybersecurity is purely a cost centre ignores a critical reality: security posture creates genuine business differentiation. When cybersecurity leaders position their investments solely as risk mitigation, they're competing on the wrong battlefield entirely.

Traditional cybersecurity pitches compare one security solution to another, usually emphasizing lower costs or better threat detection. This approach assumes that "keeping bad things from happening" is the primary value proposition. But this assumption is flawed because all security investments aren't equal – they enable vastly different business outcomes.

In high-stakes industries like – investment banking, robust cybersecurity isn't just about avoiding breaches – it's table stakes for customer trust. But even here, security teams fail to articulate how their investments enable premium pricing, faster regulatory approvals, or access to security-conscious institutional clients.

The key to positioning cybersecurity investments that deliver genuine business value is to differentiate the inherent opportunities that security posture creates from the "apparent" cost-avoidance benefits. It's perfectly valid strategy for cybersecurity teams to use opportunity costs as persuasive arguments – but to do that effectively, you need to understand not just your technical capabilities, but also what your stakeholders value most and what drives their decision-making process.

Consider the untapped competitive advantages that strong cybersecurity enables:

• Revenue acceleration: Faster time-to-market when security is built-in rather than bolted-on

• Market expansion: Access to security-sensitive customers and markets that competitors can't serve

• Premium pricing: Privacy-conscious customers pay more for demonstrated data protection

• Operational efficiency: Reduced insurance costs, better contract terms, streamlined compliance

• Brand differentiation: Security as a competitive moat rather than a commodity requirement

Framing your security value proposition

As I noted earlier, research into decision-making psychology highlights the importance of "framing" – how we characterize the problem our stakeholder faces and present our solution within that context. If you can effectively set the frame for business leaders, you can position your cybersecurity investments so they stand out as growth enablers rather than cost centres.

Professor Frederick's HBR article "The Persuasive Power of Opportunity Costs" provides a masterclass in reframing expensive purchases. His analysis of De Beers' diamond marketing campaign shows how they repositioned expensive jewellery from a "luxury expense" to a simple choice: buy the diamond now or "redo the kitchen next year." By framing both options as expensive but inevitable purchases, De Beers normalized the luxury item and suggested the opportunity cost could simply be deferred. It's all in the "frame." This wasn't just clever advertising – it was strategic reframing backed by rigorous psychological research3. Frederick's experiments reveal why traditional cybersecurity pitches often fail: when stakeholders are prompted to consider opportunity costs, they consistently shift toward cheaper options, this was shown to be true even with subtle cost-focused language. This research explains why leading with security expenses ('We need $10M for...') psychologically primes decision-makers to consider alternatives rather than approve investments. The solution is reframing security as business enablement before costs are even discussed. I.e. setting the frame early before discussion of costs.

Cybersecurity and IT leaders should apply these principles. Instead of presenting security investments as necessary evils, consider these reframes:

• Traditional frame: "We need $10M for an endpoint security solution that detect and reduce malware infections by 80%" Opportunity cost frame: "Robust endpoint security enables our hybrid workforce strategy, avoiding the $50M cost of additional office space to support business expansion".
  The endpoint security frame here is particularly compelling because it connects cybersecurity directly to a massive operational expense (real estate) that every executive understands. A $10M investment suddenly looks like a bargain against $50M in avoided office costs – and we're not just saving money, you're enabling a more flexible business model.

• Traditional frame: "We need advanced threat detection to identify APTs faster" Opportunity cost frame: "Proactive threat hunting positions us as the secure alternative to competitors dealing with public breaches, enabling premium pricing with security-conscious customers".
  In this frame, we’re not just preventing losses; we're creating a competitive moat that justifies higher margins. When competitors are dealing with breach headlines and customer trust issues, The company’s proactive security becomes a sales tool.

• Traditional Frame: "Our SOC prevents 10,000 attacks monthly" Opportunity Frame: "Our security posture qualifies us as a Tier 1 supplier for Fortune 500 companies, opening doors to contracts our competitors can't even bid on".
  The traditional frame's "10,000 attacks prevented" is actually meaningless to most executives. Sure, it looks good in a presentation deck but they don't know if that's good or bad, how it compares to industry benchmarks, or what business value it represents. It's just a big number that feels expensive to maintain. Here the opportunity frame immediately connects to what business leader understands: market access and competitive advantage.

  For many listed companies and governments, supplier qualification is a binary gate – you either meet the requirements or you're don’t. No amount of price competition or product superiority matters if you don’t have a seat at the bidding table.

These example also highlights how cybersecurity can establish what economists call "network effects" – the value of that investment increases exponentially as more prestigious clients demand higher security standards.

So here a SOC investment doesn't just protect against attacks; it becomes a credential that opens progressively more valuable market segments. And the end-point security frame implies that we can hire from a larger remotely located workforce and attract more diversified and skilled staff, and so on.

It's the difference between saying "We're really good at defence" versus "We have the ears of the CEO." One sounds like a cost centre protecting what you already have; the other sounds like a profit centre unlocking what you could have.

These examples collectively show that the most powerful reframes connect cybersecurity capabilities directly to revenue generation, market expansion, or competitive differentiation – making the business case self-evident rather than requiring complex risk calculations.

Briefly reverting to Frederick's research I need to point out that what constitutes a valid "frame" will differ dramatically between stakeholders. Your opportunity cost arguments will need to be adapted to each audience's specific priorities and psychology. The key thing that you need to think about is how do you get your stakeholders to stop thinking of security as cost and focus on how it enables and build business capabilities, revenue and differentiation.

Differential stakeholder engagement

So why do cybersecurity teams struggle to get buy-in while marketing teams with similar budgets sail through approval processes? Because marketing teams understand that different stakeholders require different value propositions for the same investment.

Consider how cybersecurity investments impact different business stakeholders:

For the CEO: Security posture enables strategic opportunities

• "Our security maturity allows us to pursue acquisition targets that competitors can't due diligence properly"

• "We can enter regulated markets that require demonstrated data protection capabilities"

• "Security becomes a competitive moat – customers choose us because they trust us with sensitive data"

For the CFO: Security investments optimize financial performance

• "Strong cybersecurity posture reduces insurance premiums by 40% and enables better contract terms"

• "Security-by-design reduces compliance costs across multiple frameworks"

• "Our security posture commands premium pricing – we can charge 15% more than competitors for the same services"

For Sales Leaders: Security enables revenue growth

• "We can pursue enterprise customers who require SOC 2 Type II certification"

• "Security certifications open government contracting opportunities worth $200M annually"

• "While competitors deal with breach recovery, we're winning their security-conscious customers"

For Product Teams: Security accelerates innovation

• "Embedded security means faster time-to-market – no lengthy security reviews and simplified SBOMs"

• "Privacy-by-design features become product differentiators"

• "Security APIs enable integration with enterprise customer environments"

Research validates that this multi-stakeholder approach is crucial. Frederick's studies found that individual differences in spending attitudes significantly affect how carefully you must frame initial presentations. Cost-conscious decision-makers naturally scrutinize all expenditures, making it essential to lead with opportunity value rather than costs. Growth-focused stakeholders, while more willing to invest, need explicit connection between security capabilities and business outcomes before any cost discussion begins.

This maps directly to cybersecurity contexts: heavily regulated industries with cost-conscious leadership require immediate opportunity framing to prevent cost-comparison thinking, while other sectors need clear business enablement messaging to avoid dismissing security as routine IT expense. In both cases, establishing the value frame before discussing costs is crucial to avoiding Frederick's documented preference shift toward cheaper alternatives.

Consider how De Beers crafted completely different messages for different audiences selling the same product. For men, they used direct, practical language: "It is never a good idea to keep a woman waiting", "There's never been a better time to invest in futures," and "This Christmas there will be more than three wise men.4” These messages positioned diamond purchases as smart investments and practical decisions.

For women, the campaign was far more subtle, aimed at redefining their relationship with diamonds entirely. Rather than positioning diamonds as gifts received, they framed them as personal choices: "It beckons me as I pass the store window…”, and “…I'm not usually that kind of girl, I take it home5"

This dual approach to framing the purchase differently to both the purchaser and the recipient took advantage of their (subtly prepared) perceptions of what the ring meant – a sound investment, an investment into their shared love, and an expression of personal empowerment rather than dependence. The frame defines how they rationalise the ring and ignore or justify the opportunity cost even if that implies cognitive dissonance by linking it to emotions or suggestive logic.

For cybersecurity investments to gain traction, they must be perceived as enabling rather than adding to already constrained business budgets, and this frame must be set before we bring up costs. This requires framing security not as a grudge purchase, but as a strategic enabler of business goals that stakeholders already prioritize.

The path forward

The cybersecurity industry stands at an inflection point similar to where credit risk management was decades ago. Credit teams evolved from "preventing bad loans" to "optimizing risk-return profiles for maximum profitable growth." They developed sophisticated models that quantified previously invisible value creation. But these risk quantification models that I see evolving for Cybersecurity still have the same cost-focus flaw. They’ll just put a more precise dollar value on the risks we mitigate, on the threats that we eliminate and the DDoS attacked we negated. These quantification models still won’t show the business value or the opportunities that cyber stand to create. Unless the risk quantification model output is carefully used in budget meetings and investment discussions, these models will simply highlight the opportunity costs to the board before you’ve had the opportunity to set the frame.

That said, cybersecurity will eventually see the evolution Credit Risk experienced. Credit risk managers learned that better risk understanding didn't mean giving fewer loans to objectively safer customers – it meant giving more loans, more profitably, through accurate pricing of risk. That was the value creation from better analysis, not cost avoidance.

Organizations that master this reframing will discover something remarkable: cybersecurity transforms from budget line item to a competitive weapon. While competitors treat security as a compliance checkbox, forward-thinking companies will use security posture to win customers, enter new markets, and command premium pricing.

The opportunity is enormous – but it requires honest self-reflection about how we currently position our value and what we might be leaving on the table. And it will require that CISOs become more business focused and commercially minded.

Questions for reflection:

• Consider your last three cybersecurity investment proposals. What frame did you use to present them? Were you asking stakeholders to accept costs or to recognize opportunities? Note: Risk reductions are not opportunities.

• What business objectives is your CEO most focused on this quarter? How might your security capabilities enable, accelerate, or differentiate those initiatives?

• If a competitor suffered a major breach tomorrow, what specific business advantages would your security posture create? How would you communicate those advantages to prospects and customers? And what would something like that be worth?

• Which of your stakeholders are naturally cost-conscious versus growth-focused (i.e. more willing to invest but may need coaching to see security's business enabling potential)? Cost-conscious stakeholders need immediate opportunity-focused messaging to prevent cost-comparison thinking, while growth-focused stakeholders need explicit connection between security capabilities and business outcomes before any cost discussion begins.

• What market opportunities, customer segments, or premium pricing strategies could your current security investments unlock that you haven't explicitly articulated to business leadership?

The answer to the $185M question shouldn't focus on what we avoided, what risks we mitigated, or how much more resilient we are, unless those are the value creating differentiators. The answer should focus on the opportunities that create value so that we don’t end up in a situation where opportunity costs become the central discussion point.

We need to make the potential $40M cost-saving from a $10M cyber investment come across like great value. The organizations that answer this question most compellingly will transform cybersecurity from necessary cost to competitive advantage.