"Security is a tax on the business." β Every CFO, usually right before they get breached.
For years, security folks have walked into boardrooms trying to explain the return on investment (ROI) of a firewall. That's a losing game from the start because the premise is wrong.
- Investment: You put a dollar in, you get two dollars out.
- Security: You put a dollar in, and nothing happens.
Security isn't an investment. It's rent.
The Price of Digital Living
We live in a digital miracle. Y'all can video call Tokyo from a pocket computer. You can move millions of dollars with a single click. But the price of this miracle is that everything is vulnerable. Connecting everything means everything can attack everything.
Security is just the rent we pay to live in this digital space. If you stop paying your rent, you don't save money. You get evicted. In this world, eviction looks like ransomware, SEC investigations, or the CrowdStrike crash.
When the Rent Check Bounces (CrowdStrike)
In July 2024, the world saw what happens when the digital foundation cracks. CrowdStrike pushed a bad update. It wasn't some complex nation-state attack. It was a QA failure. 8.5 million Windows devices blue-screened. Airlines grounded flights. Hospitals cancelled surgeries. In weeks, CrowdStrikeβs market cap bled billions.
This wasn't just a glitch. It was a reminder that in the modern enterprise, the CISO isn't a digital janitor. They're the custodian of shareholder value. The market didn't punish CrowdStrike for getting hacked. It punished them for being unreliable.
Quantifying the Invisible
The problem is that "rent" is a philosophy, but CFOs only speak math. This is where the FAIR Model (Factor Analysis of Information Risk) helps. It stops us from saying "ransomware is scary" and forces us to translate: "We expect a loss event every two years. That event will cost us $8M in forensics, fines, and downtime. That means our annualized loss expectancy is $4M."
Suddenly, spending $500k to cut that risk down to $50k isn't a tax. It's a massive return. But the math is secondary to the real point. In the B2B SaaS economy, trust is the only currency that matters. Your code can be copied. Your pricing can be undercut. But if you lose your customers' data, you broke the promise. You don't pay for security to make money. You pay so you're allowed to keep playing the game.