The most important skill for a cyber transformation program manager isn’t mastery of AI, LLMs or Zero Trust architecture. Instead, it’s the ability to deeply understand your organization’s cyber posture—its evolution, its gaps—and convince executives and the board to fund impactful change. Doing so will not only strengthen your organization’s cyber resilience but also accelerate your leadership journey.
Over the past two decades, I’ve built dozens of digital and cyber transformation business cases for some of the world’s largest companies. Along the way, I’ve seen what works—and what falls flat. Below are practical strategies that can help you earn critical executive support and turn ideas into funded action.
Why Cyber Business Cases Fail
Before diving into the how, let’s examine three common reasons cyber business cases are rejected:
- They fail to answer, “So what?”
Many cyber teams overwhelm leadership with decks full of threat trends, technical risks and the need for proactive defenses—but neglect to translate these into compelling business impact. - They ignore internal competition for funds.
Executive committees weigh your cyber investment against a flood of other high-priority proposals—AI deployments, regulatory compliance, new market expansion. Without positioning cyber as a business enabler, your case won’t stand out. - They lack strategic storytelling.
Cyber leaders often skip over the emotional and operational pain their initiatives can solve—stories that boards can relate to and that drive decisions.
If your instincts tell you smarter cybersecurity investments are critical, but your proposals keep falling flat, here are five strategies to turn things around.
Five Proven Tactics to Win Executive Support
1. Know Your Audience and Form Alliances Early
The first step is to research past board and executive funding decisions—especially those that were rejected. Understand key questions are routinely asked and tailor your messaging accordingly. Anticipate concerns and objections, and position your proposal as the logical solution to a well-understood problem. If a previous business case was pushed back because it lacked viable options, then make sure your paper offers three distinct options and a clear recommendation based on your subject matter expertise. For example, assuming you are submitting a proposal to mitigate bring-your-own-device risk, you can offer three distinct options, with clearly quantified costs and benefits:
- Deploy company-issued mobile devices with built-in baseline cybersecurity controls.
- Roll out mobile device management (MDM) light, enabling the organization to remotely wipe its data when a device is lost or staff leaves the company.
- Block personal devices from downloading confidential company information.
Once you have laid down the options, set up meetings with key decision-makers to get their support and refine your ideas. By doing this, you will send a powerful message that you are not building cyber in silo and genuinely interested in their opinions. They will also help you refine your idea.
2. Emphasize Human and Process Impact
Highlight how your proposed initiative—such as a third-party cyber risk program—can break silos and enable collaboration across CISO, finance, property and resilience teams. Many failed transformations stem not from flawed technology, but from poor adoption. Clearly demonstrate how your proposed initiative cannot only reduce risk, but improve staff digital experience. Consider the following examples:
Single Sign-On (SSO):
By enabling employees to access multiple systems with one secure login, SSO will significantly reduce password-related vulnerabilities while streamlining user experience, cutting down on login friction and IT support requests.
Automated Supply Chain Reviews:
Automating third-party security assessments enhances threat visibility and regulatory compliance while freeing staff from repetitive, manual checks—allowing them to focus on higher-value, strategic work.
3. Translate Risk into Financial and Compliance Value
Many cyber leaders shy away from financial quantification—but this is where credibility is earned. Start by:
- Mapping manual pain points. Talk to the frontline people performing manual work – for example, third-party risk checks, cyber maturity assessments, and incident follow-ups. Capture their time and effort—and tell three vivid anecdotes that humanize inefficiencies.
- Quantify efficiency gains. Show reduced effort and faster detection/remediation of supply chain threats, backed with real numbers.
- Link to regulatory alignment. Compliance is now a revenue enabler. Recent mandates—such as Saudi ECC-2, SAMA 4.2.3, DORA in the EU, and MAS outsourcing rules—demand that businesses secure their supply chains. Make the case that cyber investments protect future revenue by keeping the organization eligible for contracts with governments and critical infrastructure sectors.
4. Show the Journey, Not Just the Destination
Your program won’t deliver all benefits the first quarter. Communicate milestones clearly and celebrate small wins across CISO, finance, property and resilience teams. Sustaining excitement and engagement is crucial. Change marketing isn’t optional—it’s a strategic enabler. Here's an illustrative before-and-after illustration of a 12-month cyber transformation program focused on delivering Mobile Device Management (MDM), Supply Chain Assurance, Red Teaming and Multi-Factor Authentication (MFA) on internet-facing systems:
| Capability Area | Before Transformation | After 12 Months |
|---|---|---|
| Mobile Device Management (MDM) | Employees access crown jewels using unmanaged personal devices, posing high data loss and malware risk. | All corporate and BYO mobile devices are centrally managed, encrypted, and protected, reducing data loss risk and improving compliance with employment and privacy regulations. The organization can remotely wipe its containerized data, reducing compliance related risks. |
| Supply Chain Assurance | Third-party risk assessments are spreadsheet-based, inconsistent, and reactive. High-risk vendors are often engaged with minimal vetting, exposing the organization to serious operational and regulatory risks. | Automated third-party security reviews ensure continuous monitoring and faster onboarding. Supplier onboarding comply with the organization’s cyber risk appetite. Automation frees up staff to focus on value adding projects and helps the business penetrate highly regulated markets. |
| Red Teaming / Simulated Attacks | Perimeter security posture is untested, and management doesn’t make risk informed decisions when deploying cyber investments. | Independent red team exercises expose real-world vulnerabilities, enabling focused, measurable remediation before threat actors exploit crown jewels. Leadership makes evidence-based risk mitigation decisions. |
| Multi-Factor Authentication (MFA) | Many internet-facing systems rely on passwords password authentication, exposing critical services to unauthorized access though credential theft. | Single sign on ties dozens of SAAS application authentication to Active Directory, reducing user friction, lowering operational costs and boosting security. |
Equally important is nailing your PowerPoint – that critical information piece you want to leave the committee with, or the thing you would say if you slot is substantially cut down. Amy Gallo agrees, “Focus on one or two main points and avoid getting hung up on trying to prove how much you know.” Be judicious in how much data and analysis you present. Overly detailed presentations can distract your audience, making them feel stupid for not following along.
5. Leverage Private Conversations
Engage board members or their chiefs of staff 1:1 before formal meetings. These informal touchpoints yield insight and build trust. I usually prepare three formats:
- A tight elevator pitch (3–5 punchy sentences).
- A visual one-pager for quick decision-makers
- A detailed board pack for formal review
Let me illustrate with an example an elevator pitch for a new cyber risk quantification initiative: “Cybersecurity budgets are rising, yet 15% of Middle Eastern organizations report breaches costing over $100K—13% even exceed $1M. Our new cyber quantification program “QuantDefy” leverages advanced cyber risk quantification methods like FAIR and Monte Carlo simulations to optimize security spending, cutting costs by up to 20% while enhancing overall cyber resilience. As security tool deployments have surged by 30% in three years—escalating complexity and operational expenses—we will streamline risk assessment and toolsets to fortify defence against cyber threats.”
Final Thoughts
The ability to successfully pitch and fund your cyber transformation case is now a core leadership competency. And often, all you get is one chance in front of the executive committee, or whatever group approves strategic business cases. Given the stakes are that high, the ability to communicate with persuasion and impact has become a must-have skill for cyber transformation managers.
About the author: Caroline Petroque-Gomer is the Fusion Programme Manager at Standard Chartered, driving high-impact security programs and building effective cybersecurity frameworks that align with business objectives. With over 20 years in financial services digital transformation and assurance in Europe, the Middle East, North Africa, and Asia, —she has designed and implemented advanced software and processes for cybersecurity and financial risk management(incl. market, credit, and treasury risk) working with leading software vendors and financial institutions, including Thomson Reuters, Fermat, Standard Chartered, Barclays, and Royal Bank of Scotland.
Caroline holds Master's degrees in Civil Engineering and International Business from France and is certified in CRISC (ISACA) and as a Six Sigma Lean Black Belt.
