Stop Selling Security: How to Pitch a Strategic Business Asset

1
00:00:00,000 --> 00:00:04,500
Most security pitches fail before the second slide because they still sell alerts, coverage,

2
00:00:04,500 --> 00:00:09,120
dashboards and tool stacks while the people holding the budget are thinking about risk,

3
00:00:09,120 --> 00:00:13,040
growth, and how much uncertainty the business can carry without slowing down.

4
00:00:13,040 --> 00:00:14,040
That's where it breaks.

5
00:00:14,040 --> 00:00:15,080
Boards don't fund tooling.

6
00:00:15,080 --> 00:00:19,200
They fund exposure inside a growth target and in 2026 that gap gets wider.

7
00:00:19,200 --> 00:00:23,960
Executive stress is up, but many leaders now see in action as the bigger risk, not change.

8
00:00:23,960 --> 00:00:27,560
So if you keep pitching, manage security like outsourced monitoring, you'll get pushed

9
00:00:27,560 --> 00:00:32,040
into overhead, priced like a commodity and questioned every budget cycle.

10
00:00:32,040 --> 00:00:36,080
What I want to do here is reframe it, not as protection spent, as a business asset tied

11
00:00:36,080 --> 00:00:40,520
to Rosie, faster decisions, protected revenue and even valuation logic.

12
00:00:40,520 --> 00:00:42,560
The commodity trap and the old model.

13
00:00:42,560 --> 00:00:46,320
Most providers still use the old model because it's easy to package and easy to sell.

14
00:00:46,320 --> 00:00:51,320
Per user, per device, per ticket, a list of tools, a list of SLAs, maybe a response promise,

15
00:00:51,320 --> 00:00:55,560
maybe a monthly report full of incidents closed, alerts triaged and policy checks completed.

16
00:00:55,560 --> 00:01:00,160
It sounds measurable, but it creates the wrong conversation because all of that points to activity,

17
00:01:00,160 --> 00:01:04,680
while executives are judging exposure, continuity and where they can place capital without taking

18
00:01:04,680 --> 00:01:05,680
on blind risk.

19
00:01:05,680 --> 00:01:07,640
So what typically happens is this.

20
00:01:07,640 --> 00:01:11,280
The security team reports motion, but the boards still can't see business effect.

21
00:01:11,280 --> 00:01:16,520
They hear about blocked sign-ins, risky users, malware events and open recommendations, and

22
00:01:16,520 --> 00:01:18,800
none of that tells them what they really need to know.

23
00:01:18,800 --> 00:01:19,800
Can we move faster?

24
00:01:19,800 --> 00:01:22,640
Are we reducing the chance of an expensive disruption?

25
00:01:22,640 --> 00:01:26,760
Can we absorb a hit and recover without damaging revenue, trust or strategic initiative already

26
00:01:26,760 --> 00:01:27,760
in flight?

27
00:01:27,760 --> 00:01:30,760
That's why security gets pushed into the same mental bucket as overhead.

28
00:01:30,760 --> 00:01:34,480
Not because leaders don't care, because the model behind the pitch doesn't connect security

29
00:01:34,480 --> 00:01:36,080
to operating outcomes.

30
00:01:36,080 --> 00:01:41,000
If the offer doesn't link to uptime, incident cost, decision speed or capital protection,

31
00:01:41,000 --> 00:01:42,680
finance treats it like maintenance.

32
00:01:42,680 --> 00:01:43,680
Useful?

33
00:01:43,680 --> 00:01:44,680
Yes.

34
00:01:44,680 --> 00:01:45,680
Strategic?

35
00:01:45,680 --> 00:01:46,680
No.

36
00:01:46,680 --> 00:01:47,160
You can see this clearly in Microsoft environments.

37
00:01:47,160 --> 00:01:51,600
In most organizations, Microsoft 365, Azure and Power Platform all exist, but they're

38
00:01:51,600 --> 00:01:53,160
governed in pieces.

39
00:01:53,160 --> 00:01:54,920
Identity lives in one conversation.

40
00:01:54,920 --> 00:01:55,920
Devices in another.

41
00:01:55,920 --> 00:01:57,640
Data protection somewhere else.

42
00:01:57,640 --> 00:01:59,720
Power Platform often grows in the gaps.

43
00:01:59,720 --> 00:02:01,120
Guests stay too long.

44
00:02:01,120 --> 00:02:02,680
Service accounts lose ownership.

45
00:02:02,680 --> 00:02:04,360
Access reviews happen late or not at all.

46
00:02:04,360 --> 00:02:07,920
Then the service provider shows up and manages the noise around that fragmentation instead

47
00:02:07,920 --> 00:02:09,960
of fixing the operating model, causing it.

48
00:02:09,960 --> 00:02:10,960
That's commodity IT.

49
00:02:10,960 --> 00:02:11,960
It manages tools.

50
00:02:11,960 --> 00:02:13,160
It reacts to symptoms.

51
00:02:13,160 --> 00:02:14,400
It reports tickets.

52
00:02:14,400 --> 00:02:17,880
And when something goes wrong, it works hard, but from a broken structure.

53
00:02:17,880 --> 00:02:19,200
Strategic security is different.

54
00:02:19,200 --> 00:02:23,040
It starts with the control plane, especially identity because identity decides who gets

55
00:02:23,040 --> 00:02:27,440
access when, under what conditions and with what risk signal attached.

56
00:02:27,440 --> 00:02:28,880
Once you see that, the whole offer changes.

57
00:02:28,880 --> 00:02:30,680
You're not selling we watch Microsoft.

58
00:02:30,680 --> 00:02:33,580
You're selling control over how risk moves through the business.

59
00:02:33,580 --> 00:02:35,960
And the market is already forcing this shift.

60
00:02:35,960 --> 00:02:40,120
Traditional managed services growth is slowing, while cybersecurity is still growing faster,

61
00:02:40,120 --> 00:02:42,760
at 14.4% in 2026.

62
00:02:42,760 --> 00:02:46,520
At the same time, automation is taking more repetitive work out of the system.

63
00:02:46,520 --> 00:02:51,160
It should improve margins, but if your price still depends on seat count or alert volume,

64
00:02:51,160 --> 00:02:54,560
automation can make your service look less valuable, not more.

65
00:02:54,560 --> 00:02:58,640
Because the client starts asking why they should pay the same for fewer human touches.

66
00:02:58,640 --> 00:02:59,640
That's the trap.

67
00:02:59,640 --> 00:03:02,800
The better you get operationally, the weaker your pricing story becomes.

68
00:03:02,800 --> 00:03:05,600
Unless the value is tied to business outcomes instead of labor.

69
00:03:05,600 --> 00:03:09,480
So once this old model stops holding up and it is stopping now, the buyer needs a different

70
00:03:09,480 --> 00:03:10,800
frame.

71
00:03:10,800 --> 00:03:13,360
Reframing security as business risk velocity control.

72
00:03:13,360 --> 00:03:15,200
So what's the replacement for that old model?

73
00:03:15,200 --> 00:03:20,000
Once this, security is control over business risk velocity, not just risk, risk velocity,

74
00:03:20,000 --> 00:03:24,000
how fast a bad event can spread, how long it stays unclear, and how much business drag

75
00:03:24,000 --> 00:03:27,200
it creates before leadership can act with confidence.

76
00:03:27,200 --> 00:03:29,480
That's the shift.

77
00:03:29,480 --> 00:03:33,240
When security works at a strategic level, the business moves faster with fewer expensive

78
00:03:33,240 --> 00:03:34,240
surprises.

79
00:03:34,240 --> 00:03:36,200
New projects don't stall as long.

80
00:03:36,200 --> 00:03:38,920
External collaboration doesn't feel like an uncontrolled exception.

81
00:03:38,920 --> 00:03:41,560
AIU doesn't turn into a policy panic.

82
00:03:41,560 --> 00:03:44,440
Change can happen because the business knows where the boundaries are and how quickly

83
00:03:44,440 --> 00:03:48,040
it can detect, contain, and recover if something starts to break.

84
00:03:48,040 --> 00:03:50,000
That language fits how executives already think.

85
00:03:50,000 --> 00:03:51,360
They talk about risk appetite.

86
00:03:51,360 --> 00:03:52,800
They talk about capital deployment.

87
00:03:52,800 --> 00:03:56,760
They talk about continuity, recovery capacity, and protected revenue.

88
00:03:56,760 --> 00:03:59,440
They don't need another security team explaining telemetry.

89
00:03:59,440 --> 00:04:03,080
They need to know how much uncertainty they're carrying, whether that exposure sits inside

90
00:04:03,080 --> 00:04:06,880
the company's tolerance, and what happens to growth plans if the wrong event lands

91
00:04:06,880 --> 00:04:07,880
at the wrong time.

92
00:04:07,880 --> 00:04:12,440
And one level deeper cyber now sits inside a wider board conversation, not hygiene, business

93
00:04:12,440 --> 00:04:13,440
risk.

94
00:04:13,440 --> 00:04:17,920
36 more than half of surveyed US executives still expect their companies to thrive.

95
00:04:17,920 --> 00:04:22,960
Even with supply chain, tariff, weather, and cyber pressure stacking up, while over 5500

96
00:04:22,960 --> 00:04:26,120
board and C-suite leaders viewed in action as the biggest risk.

97
00:04:26,120 --> 00:04:31,560
That matters because it changes what security gets compared against, not perfection, momentum.

98
00:04:31,560 --> 00:04:35,800
Once leaders think that way, one metric becomes much more useful than most security teams

99
00:04:35,800 --> 00:04:38,360
realize, decision latency.

100
00:04:38,360 --> 00:04:40,960
The time between signal and confident executive action.

101
00:04:40,960 --> 00:04:45,560
That includes detection and response, yes, but it also includes how long leaders hesitate

102
00:04:45,560 --> 00:04:48,720
because the picture is messy, fragmented, or unclear.

103
00:04:48,720 --> 00:04:51,360
If that delay shrinks, the blast radius shrinks with it.

104
00:04:51,360 --> 00:04:55,640
Fewer meetings, less confusion, less expensive waiting.

105
00:04:55,640 --> 00:04:58,800
This is where identity moves from admin topic to control plane.

106
00:04:58,800 --> 00:05:03,360
Because access sits at the center of change, employees join, partners collaborate, apps

107
00:05:03,360 --> 00:05:06,920
automate, AI agents and service accounts expand quietly in the background.

108
00:05:06,920 --> 00:05:11,660
If identity lifecycle is weak, ownership is fuzzy, and access reviews lag, the business

109
00:05:11,660 --> 00:05:13,440
doesn't just carry more technical risk.

110
00:05:13,440 --> 00:05:17,160
It carries slower decisions, because nobody fully trusts what they're looking at.

111
00:05:17,160 --> 00:05:21,240
With enter ID governance, lifecycle flows, access reviews, and conditional access working

112
00:05:21,240 --> 00:05:25,920
together, policy stops being a pile of static rules and starts acting more like a live business

113
00:05:25,920 --> 00:05:26,920
filter.

114
00:05:26,920 --> 00:05:31,040
Who should have access under which conditions, for how long, with what signal attached,

115
00:05:31,040 --> 00:05:34,800
that gives leadership something much better than raw activity, it gives them cleaner decision

116
00:05:34,800 --> 00:05:35,800
conditions.

117
00:05:35,800 --> 00:05:39,880
So the Microsoft stack starts acting like one operating system for trust.

118
00:05:39,880 --> 00:05:44,080
Defender brings incident and endpoint signals together, purview adds data context.

119
00:05:44,080 --> 00:05:48,320
Intune contributes device posture, automation removes repeat work from the response path.

120
00:05:48,320 --> 00:05:51,920
The result isn't just more coverage, it's a tighter decision environment where signals

121
00:05:51,920 --> 00:05:55,520
line up faster and teams spend less time arguing about what's real.

122
00:05:55,520 --> 00:05:58,080
That's why strategic security supports more than defense.

123
00:05:58,080 --> 00:06:02,640
It supports safe AI rollout because data access and usage controls are clearer.

124
00:06:02,640 --> 00:06:06,880
It supports safe automation because non-human access gets governed instead of ignored.

125
00:06:06,880 --> 00:06:11,360
It supports safer external collaboration because guest access and conditional policy stop

126
00:06:11,360 --> 00:06:15,480
expanding without control and it supports change itself, which is what most boards actually

127
00:06:15,480 --> 00:06:16,480
care about.

128
00:06:16,480 --> 00:06:17,480
So the model is simple.

129
00:06:17,480 --> 00:06:19,320
Comodity IT manages tools.

130
00:06:19,320 --> 00:06:21,640
Strategic security manages business risk velocity.

131
00:06:21,640 --> 00:06:25,400
It reduces the speed and cost of uncertainty while increasing the speed and confidence

132
00:06:25,400 --> 00:06:26,400
of business movement.

133
00:06:26,400 --> 00:06:29,920
If that sounds like a board level asset, good, because that's exactly how it should

134
00:06:29,920 --> 00:06:30,920
be treated.

135
00:06:30,920 --> 00:06:34,280
Once you frame it that way, the next question comes fast.

136
00:06:34,280 --> 00:06:36,280
Show me the numbers.

137
00:06:36,280 --> 00:06:38,440
The numbers executives actually care about.

138
00:06:38,440 --> 00:06:41,160
Once you move out of two language, the scorecard gets much simpler.

139
00:06:41,160 --> 00:06:44,200
There are really three numbers executives care about here.

140
00:06:44,200 --> 00:06:49,040
Return on security investment, reduce time to decide and revenue at risk protected.

141
00:06:49,040 --> 00:06:51,640
Everything else matters only if it improves one of those.

142
00:06:51,640 --> 00:06:56,040
If a metric can't connect to money, speed or continuity, it stays operational.

143
00:06:56,040 --> 00:06:59,560
Useful for the team, not persuasive in the boardroom and that distinction changes the

144
00:06:59,560 --> 00:07:00,560
whole pitch.

145
00:07:00,560 --> 00:07:02,200
Start with the basic finance model.

146
00:07:02,200 --> 00:07:04,680
Risk exposure equals probability times impact.

147
00:07:04,680 --> 00:07:05,680
That's it.

148
00:07:05,680 --> 00:07:06,960
Not elegant, just usable.

149
00:07:06,960 --> 00:07:10,440
If an incident has a certain chance of happening and the business impact lands at a certain

150
00:07:10,440 --> 00:07:13,760
cost, then you already have a number the CFO understands.

151
00:07:13,760 --> 00:07:15,840
From there, Rosie becomes simple too.

152
00:07:15,840 --> 00:07:20,800
Exposure before minus exposure after minus the cost of security divided by the cost of security.

153
00:07:20,800 --> 00:07:22,120
You're not proving perfection.

154
00:07:22,120 --> 00:07:26,160
You're showing whether the spend reduces expected loss enough to justify itself.

155
00:07:26,160 --> 00:07:29,520
This clicked for a lot of leaders once breach economics got harder to ignore.

156
00:07:29,520 --> 00:07:34,480
Discussions with proactive security programs report incident costs that are 45% lower, with

157
00:07:34,480 --> 00:07:37,080
savings of about three no five million per breach.

158
00:07:37,080 --> 00:07:41,600
They also shorten breach life cycle from 277 days to 214 days.

159
00:07:41,600 --> 00:07:45,240
That matters because a long running event doesn't just increase technical cleanup.

160
00:07:45,240 --> 00:07:49,080
It drags legal review, management attention, customer communication and delayed projects

161
00:07:49,080 --> 00:07:50,080
along with it.

162
00:07:50,080 --> 00:07:54,200
Cost rises because time rises and that's where technical metrics need translation.

163
00:07:54,200 --> 00:07:56,720
MTT and MTT are don't belong on the slide by themselves.

164
00:07:56,720 --> 00:07:58,240
You have to convert them.

165
00:07:58,240 --> 00:08:03,120
Inter detection and response mean lower loss, lower downtime and less uncertainty for leadership.

166
00:08:03,120 --> 00:08:08,360
In one executive framing example from the research, an MTT of 45 minutes can keep losses near

167
00:08:08,360 --> 00:08:13,200
50,000 dollars, while incidents that stay uncontained run pass 2 million.

168
00:08:13,200 --> 00:08:17,200
Same category of threat, different response speed, very different financial outcome.

169
00:08:17,200 --> 00:08:20,960
There's also a second layer of savings that gets ignored because it looks too operational

170
00:08:20,960 --> 00:08:22,280
at first glance.

171
00:08:22,280 --> 00:08:26,880
Proactive identity management can cut help desk calls by 30% to 50%.

172
00:08:26,880 --> 00:08:30,740
This is what resets alone carry real cost in the research places each one between 70 and

173
00:08:30,740 --> 00:08:31,740
150 dollars.

174
00:08:31,740 --> 00:08:33,640
All it's finished 30% faster.

175
00:08:33,640 --> 00:08:36,720
Compliance violations drop 46% none of that sounds dramatic on its own.

176
00:08:36,720 --> 00:08:40,580
But once you add those together across a year, identity governance stops looking like admin

177
00:08:40,580 --> 00:08:45,280
hygiene and starts looking like cost control with execution benefits attached.

178
00:08:45,280 --> 00:08:47,800
Insurance adds another angle executives already care about.

179
00:08:47,800 --> 00:08:53,120
But sure proactive programs can reduce cyber insurance premiums by 15% to 25% and that matters

180
00:08:53,120 --> 00:08:58,960
more right now because 98% of executives plan to re-evaluate business insurance in 2026.

181
00:08:58,960 --> 00:09:00,640
So the conversation changes again.

182
00:09:00,640 --> 00:09:03,800
Security isn't just a spending request, it becomes part of resilience proof.

183
00:09:03,800 --> 00:09:08,560
Can you show the insurer, the board and the buyer that your controls actually reduce exposure?

184
00:09:08,560 --> 00:09:11,880
Or are you just carrying more paperwork and hoping the market stays kind?

185
00:09:11,880 --> 00:09:15,040
The metric I'd push hardest though is reduced time to decide.

186
00:09:15,040 --> 00:09:18,320
Not just time to detect, not just time to respond, time to decide.

187
00:09:18,320 --> 00:09:21,560
Because leadership costs expands when the incident picture stays muddy.

188
00:09:21,560 --> 00:09:22,560
Approval slowdown.

189
00:09:22,560 --> 00:09:26,360
Containment choices get debated, customer messaging stalls, operations wait.

190
00:09:26,360 --> 00:09:30,840
So if your Microsoft security model produces cleaner signals, fewer false turns and faster

191
00:09:30,840 --> 00:09:35,400
confidence that has executive value even before you calculate avoided downtime.

192
00:09:35,400 --> 00:09:37,320
That's the pricing shift hidden inside the math.

193
00:09:37,320 --> 00:09:41,200
The client shouldn't be buying a pile of licenses and hoping value appears later.

194
00:09:41,200 --> 00:09:46,120
The client should be buying protected business value, lower expected loss, faster executive

195
00:09:46,120 --> 00:09:49,440
movement, and less exposed revenue when something goes wrong.

196
00:09:49,440 --> 00:09:53,160
Once those numbers sit on the table, the offer stops looking like monitoring spend and starts

197
00:09:53,160 --> 00:09:57,120
looking like a business decision, but numbers land best when they're tied to one operating

198
00:09:57,120 --> 00:09:59,920
case people can actually see.

199
00:09:59,920 --> 00:10:02,840
Scenario proof, identity sprawl to controlled continuity.

200
00:10:02,840 --> 00:10:07,240
Take one operating case because this is where the pitch either gets real or stays abstract.

201
00:10:07,240 --> 00:10:12,120
The client had grown fast across Microsoft 365 as you're an automation use cases and access

202
00:10:12,120 --> 00:10:13,120
grew with it.

203
00:10:13,120 --> 00:10:15,200
Not in a clean way, in an accumulated way.

204
00:10:15,200 --> 00:10:19,440
More than one 200 unmanaged identities sat across guest accounts and service accounts with

205
00:10:19,440 --> 00:10:23,760
mixed ownership, weak review cycles, and too many parts that stayed open simply because nobody

206
00:10:23,760 --> 00:10:26,040
had a reliable life cycle around them.

207
00:10:26,040 --> 00:10:27,760
The business goal wasn't unusual.

208
00:10:27,760 --> 00:10:32,640
They wanted collaboration to stay easy, automation to expand, and cloud growth to continue without

209
00:10:32,640 --> 00:10:35,360
turning every change into a security argument.

210
00:10:35,360 --> 00:10:38,120
But the structure underneath that goal couldn't support it.

211
00:10:38,120 --> 00:10:41,800
Access decisions were scattered, reviews were inconsistent, visibility was partial, so

212
00:10:41,800 --> 00:10:46,000
when risk signals appeared, teams spent too much time figuring out what they were looking at,

213
00:10:46,000 --> 00:10:50,560
who owned the access in question, and whether the issue sat inside a larger pattern.

214
00:10:50,560 --> 00:10:53,720
That's the moment this breaks, not when a dashboard turns red.

215
00:10:53,720 --> 00:10:57,840
When leadership asks a simple question and nobody can answer fast enough, are we contained?

216
00:10:57,840 --> 00:10:59,600
Do we know what this account touches?

217
00:10:59,600 --> 00:11:02,320
Can we keep business operations moving while this gets handled?

218
00:11:02,320 --> 00:11:07,680
Before the cleanup, detection sat around 72 hours and recovery often took 5 to 7 days.

219
00:11:07,680 --> 00:11:12,280
Not because people were careless, because the identity layer was too messy for fast judgment.

220
00:11:12,280 --> 00:11:14,200
So the shift started at the control plane.

221
00:11:14,200 --> 00:11:18,680
EntraID governance came first, because they needed clear life cycle ownership, role clarity,

222
00:11:18,680 --> 00:11:20,520
and repeatable access review logic.

223
00:11:20,520 --> 00:11:24,560
Guest accounts got ownership rules, service accounts got accountability, joiner, mover, and

224
00:11:24,560 --> 00:11:27,920
lever patterns stopped relying on memory and local workarounds.

225
00:11:27,920 --> 00:11:32,040
Access reviews moved from occasional admin work to a recurring governance process tied

226
00:11:32,040 --> 00:11:34,000
to actual business ownership.

227
00:11:34,000 --> 00:11:36,400
Conditional access changed the second part of the picture.

228
00:11:36,400 --> 00:11:39,680
Before, policy mostly behaved like a static rule set.

229
00:11:39,680 --> 00:11:43,640
After the redesign, access decisions reflected business conditions, user context, and risk

230
00:11:43,640 --> 00:11:44,640
signals.

231
00:11:44,640 --> 00:11:48,160
That matters because policy stopped being something you bolt on after the fact.

232
00:11:48,160 --> 00:11:50,840
It became part of how the business allowed work to happen.

233
00:11:50,840 --> 00:11:54,880
Users didn't just get in or get blocked, access adapted based on who they were, what device

234
00:11:54,880 --> 00:11:57,360
they used, and what the surrounding risk looked like.

235
00:11:57,360 --> 00:12:00,240
From there, the stack had to stop speaking in fragments.

236
00:12:00,240 --> 00:12:03,120
Defender, in-tune, and purview signals were brought together so the team could work

237
00:12:03,120 --> 00:12:07,600
from one risk picture instead of stitching together partial views during an active issue.

238
00:12:07,600 --> 00:12:09,800
That reduced handoff friction fast.

239
00:12:09,800 --> 00:12:14,240
Instead of arguing across tools, they could see the user, device, data, and access pattern

240
00:12:14,240 --> 00:12:16,120
in one operating context.

241
00:12:16,120 --> 00:12:20,280
Automation then took repeat response paths off the analysts' plate, especially the low-judgment

242
00:12:20,280 --> 00:12:23,480
tasks that usually create drag during containment.

243
00:12:23,480 --> 00:12:26,320
What changed after that wasn't just cleaner administration.

244
00:12:26,320 --> 00:12:29,120
The numbers moved in a way executives could actually use.

245
00:12:29,120 --> 00:12:33,840
The identity surface dropped by 40% to 60% depending on the account category.

246
00:12:33,840 --> 00:12:35,960
Detection moved from days to under two hours.

247
00:12:35,960 --> 00:12:37,800
Recovery dropped to under 24 hours.

248
00:12:37,800 --> 00:12:41,880
During a real incident, lateral movement got contained before it expanded into a wider

249
00:12:41,880 --> 00:12:43,200
business interruption.

250
00:12:43,200 --> 00:12:47,640
Based on the client's own downtime assumptions, that preserved an estimated 1.2 million to

251
00:12:47,640 --> 00:12:49,840
2 million in exposed operating value.

252
00:12:49,840 --> 00:12:53,600
And the board conversation changed with it, before security looked like recurring spend

253
00:12:53,600 --> 00:12:55,320
with unclear return.

254
00:12:55,320 --> 00:12:58,120
After the language shifted toward operational resilience.

255
00:12:58,120 --> 00:13:00,040
A bit because someone polished the reporting.

256
00:13:00,040 --> 00:13:03,960
Because the operating model finally produced evidence, the board could connect to continuity.

257
00:13:03,960 --> 00:13:08,520
They could see that governed access, faster signal clarity, and lower response delay,

258
00:13:08,520 --> 00:13:11,280
protected the business from a much more expensive interruption.

259
00:13:11,280 --> 00:13:13,280
That's the part I'd stress in the pitch.

260
00:13:13,280 --> 00:13:15,160
Security didn't just block a bad event.

261
00:13:15,160 --> 00:13:16,520
It kept the company moving.

262
00:13:16,520 --> 00:13:20,880
It protected collaboration, cloud execution, and management confidence at the same time.

263
00:13:20,880 --> 00:13:24,120
Once you have one case like that, you stop arguing in general terms.

264
00:13:24,120 --> 00:13:28,440
And the next step is obvious. Turn that logic into a one-page model, a CFO can reuse,

265
00:13:28,440 --> 00:13:30,240
without needing a security translator.

266
00:13:30,240 --> 00:13:32,520
The one-page CFO model and decision ask.

267
00:13:32,520 --> 00:13:36,320
So how do you make this usable in a budget meeting, not just persuasive in a podcast?

268
00:13:36,320 --> 00:13:37,320
Put it on one page.

269
00:13:37,320 --> 00:13:38,320
Four inputs.

270
00:13:38,320 --> 00:13:39,320
That's enough.

271
00:13:39,320 --> 00:13:40,320
Revenue per hour.

272
00:13:40,320 --> 00:13:41,320
Incident probability.

273
00:13:41,320 --> 00:13:42,320
Response Delta.

274
00:13:42,320 --> 00:13:43,320
Control cost.

275
00:13:43,320 --> 00:13:46,320
If the model needs five tabs in the security architect to explain it, it won't survive

276
00:13:46,320 --> 00:13:47,760
contact with finance.

277
00:13:47,760 --> 00:13:52,160
The whole point is to let a CFO see the exposure, see the reduction, and decide whether the

278
00:13:52,160 --> 00:13:55,560
spend earns its place against other uses of capital.

279
00:13:55,560 --> 00:13:58,640
Start with exposure before, probability times impact keep it blunt.

280
00:13:58,640 --> 00:14:02,600
If a business estimates a serious identity-led incident has a given annual likelihood, and

281
00:14:02,600 --> 00:14:07,440
the likely hit includes downtime, recovery work, legal cost, customer friction, and delayed

282
00:14:07,440 --> 00:14:10,360
operations, then you already have a baseline.

283
00:14:10,360 --> 00:14:12,200
Not a perfect number, a decision number.

284
00:14:12,200 --> 00:14:13,520
That's what finance works with anyway.

285
00:14:13,520 --> 00:14:14,640
They don't wait for certainty.

286
00:14:14,640 --> 00:14:17,640
They compare likely outcomes and place bets with discipline.

287
00:14:17,640 --> 00:14:19,520
Then calculate exposure after.

288
00:14:19,520 --> 00:14:23,160
This is where security teams usually get lost because they jump back into controls, maturity

289
00:14:23,160 --> 00:14:24,680
scores, and technical detail.

290
00:14:24,680 --> 00:14:25,680
Don't.

291
00:14:25,680 --> 00:14:26,680
Stay with business movement.

292
00:14:26,680 --> 00:14:31,120
If detection is faster, containment is tighter, and access governance reduces spread,

293
00:14:31,120 --> 00:14:32,840
the expected impact drops.

294
00:14:32,840 --> 00:14:34,520
Sometimes the probability drops too.

295
00:14:34,520 --> 00:14:38,400
What matters is that the post-control number shows a smaller range of likely damage, and

296
00:14:38,400 --> 00:14:42,080
that smaller range gives leadership more room to move on projects that would otherwise

297
00:14:42,080 --> 00:14:43,080
feel exposed.

298
00:14:43,080 --> 00:14:45,400
After that, subtract annual security cost.

299
00:14:45,400 --> 00:14:46,800
Now you have net-protected value?

300
00:14:46,800 --> 00:14:47,800
That phrase matters.

301
00:14:47,800 --> 00:14:49,400
Not savings in the accounting sense.

302
00:14:49,400 --> 00:14:53,760
Protected value, revenue, and operating continuity that stay intact because the business

303
00:14:53,760 --> 00:14:55,280
reduced expected loss.

304
00:14:55,280 --> 00:14:59,080
Then, if you want the clean formula on the slide, use it exactly.

305
00:14:59,080 --> 00:15:03,560
Return on security investment equals exposure before minus exposure after minus security

306
00:15:03,560 --> 00:15:05,800
cost divided by security cost.

307
00:15:05,800 --> 00:15:08,000
Simple math, clear trade-off, no jargon shield.

308
00:15:08,000 --> 00:15:11,960
I'd also add one line most models miss a decision latency multiplier because incidents

309
00:15:11,960 --> 00:15:14,720
rarely get more expensive only from technical spread.

310
00:15:14,720 --> 00:15:17,640
They get more expensive when leaders can't decide fast enough.

311
00:15:17,640 --> 00:15:20,560
Each hour of uncertainty expands cost in messy ways.

312
00:15:20,560 --> 00:15:25,160
With pause, deprovals, delayed customer communication, idle teams, outside council, and internal

313
00:15:25,160 --> 00:15:27,120
escalation loops all pulling at once.

314
00:15:27,120 --> 00:15:30,600
So if the service cuts that delay, it reduces more than a tag time.

315
00:15:30,600 --> 00:15:32,000
It reduces management drag.

316
00:15:32,000 --> 00:15:35,600
This is where you need to frame downtime in business units, not security events.

317
00:15:35,600 --> 00:15:37,520
Don't say we blocked this many threats.

318
00:15:37,520 --> 00:15:40,920
Say, an hour of disruption in this function costs this much.

319
00:15:40,920 --> 00:15:43,200
Don't say we improved access governance.

320
00:15:43,200 --> 00:15:47,480
Say, we cut onboarding friction, reduced avoidable support load, and lowered the chance

321
00:15:47,480 --> 00:15:51,920
that one bad identity event spreads into revenue loss.

322
00:15:51,920 --> 00:15:56,000
Identity governance belongs in the same sentence as operating speed because bad identity structure

323
00:15:56,000 --> 00:16:00,160
slows execution long before it triggers an incident, and one level beyond that, lower

324
00:16:00,160 --> 00:16:02,880
uncertainty supports faster capital deployment.

325
00:16:02,880 --> 00:16:08,800
Safer AI rollout, faster approval of external collaboration, cleaner integration during acquisition

326
00:16:08,800 --> 00:16:09,800
activity.

327
00:16:09,800 --> 00:16:12,400
That M&A point matters more than many providers think.

328
00:16:12,400 --> 00:16:16,800
Research still shows 60% of bias find cyber issues after the deal, and specialized cyber

329
00:16:16,800 --> 00:16:21,080
security firms tend to command stronger multiples than general IT services.

330
00:16:21,080 --> 00:16:24,400
So a mature security posture doesn't just reduce downside.

331
00:16:24,400 --> 00:16:29,000
It also reduces surprises that trigger discounting, delay integration, or erode confidence

332
00:16:29,000 --> 00:16:30,240
in the asset itself.

333
00:16:30,240 --> 00:16:34,600
So the decision asks should sound different too, not approve more monitoring, not expand

334
00:16:34,600 --> 00:16:35,600
our stack.

335
00:16:35,600 --> 00:16:39,680
Ask for an investment that reduces expected exposure, and shortens executive decision time

336
00:16:39,680 --> 00:16:41,680
in areas tied directly to growth.

337
00:16:41,680 --> 00:16:45,680
That language changes the room, because now security isn't competing with strategy.

338
00:16:45,680 --> 00:16:49,320
It's making strategies safer to execute, and once you pitch it that way, the packaging

339
00:16:49,320 --> 00:16:52,440
and pricing have to stop sounding like outsourced admin.

340
00:16:52,440 --> 00:16:54,280
Packaging and pricing the strategic offer.

341
00:16:54,280 --> 00:16:58,000
If the story changes, the offer has to change with it, because you can't talk like a

342
00:16:58,000 --> 00:17:00,400
board advisor and then price like a help desk.

343
00:17:00,400 --> 00:17:02,920
A lot of managed security offers still break at this point.

344
00:17:02,920 --> 00:17:06,920
The messaging sounds strategic, but the proposal drops straight back into hourly buckets,

345
00:17:06,920 --> 00:17:10,680
per seat math, tool menus, and line items the client has to decode alone.

346
00:17:10,680 --> 00:17:14,320
That mismatch kills trust fast, because the model underneath still tells the buyer this

347
00:17:14,320 --> 00:17:17,200
is outsourced administration with better branding.

348
00:17:17,200 --> 00:17:20,040
Package around outcomes the business can track.

349
00:17:20,040 --> 00:17:25,120
Identity risk reduction, faster response movement, continuity support, governance maturity,

350
00:17:25,120 --> 00:17:28,200
those are the things an executive can compare against current pain.

351
00:17:28,200 --> 00:17:32,040
Not plan A includes these portals, and not plan B includes more alerts.

352
00:17:32,040 --> 00:17:35,480
The buyer needs to see a business condition improve, with a clear reason to keep paying

353
00:17:35,480 --> 00:17:36,480
for it.

354
00:17:36,480 --> 00:17:39,680
I'd separate the offer into business layers, not product layers.

355
00:17:39,680 --> 00:17:41,480
One layer is control plane foundation.

356
00:17:41,480 --> 00:17:45,840
That covers identity governance, policy structure, access ownership, and baseline signal quality

357
00:17:45,840 --> 00:17:47,200
across Microsoft.

358
00:17:47,200 --> 00:17:49,320
The next layer is resilience acceleration.

359
00:17:49,320 --> 00:17:53,720
That covers response flow, automation, joint signals, and the reduction of delay when

360
00:17:53,720 --> 00:17:55,000
something starts moving.

361
00:17:55,000 --> 00:17:58,800
Then a third layer can focus on board ready risk reporting, where the output is executive

362
00:17:58,800 --> 00:18:00,840
clarity, not technical export.

363
00:18:00,840 --> 00:18:04,160
That structure matters because it lets reporting follow the same logic.

364
00:18:04,160 --> 00:18:08,240
Exposure down, decision time down, downtime avoided, control adoption up.

365
00:18:08,240 --> 00:18:11,880
Those are trend lines executives can actually use in steering conversations.

366
00:18:11,880 --> 00:18:15,440
A monthly report shouldn't feel like a socket dump with prettier colors.

367
00:18:15,440 --> 00:18:19,200
It should feel like operating evidence, what changed, what that changed for the business,

368
00:18:19,200 --> 00:18:21,400
what decision that supports next.

369
00:18:21,400 --> 00:18:24,760
Automation belongs inside this story too, but not as a discount argument.

370
00:18:24,760 --> 00:18:27,840
If you automate repeat work, margins should improve, yes.

371
00:18:27,840 --> 00:18:31,480
But client value shouldn't look smaller, because humans touch fewer tickets.

372
00:18:31,480 --> 00:18:34,800
The service is worth more when it removes delay, cleans up signal quality, and keeps

373
00:18:34,800 --> 00:18:38,040
experience people focused on judgment instead of repetition.

374
00:18:38,040 --> 00:18:41,840
Once the commercial shift many providers still miss, and the Microsoft stack should never

375
00:18:41,840 --> 00:18:45,000
appear as separate products glued together by your team every month.

376
00:18:45,000 --> 00:18:46,960
It has to show up as one operating model.

377
00:18:46,960 --> 00:18:52,280
Identity, device posture, data context, response logic, governance, one model, one business

378
00:18:52,280 --> 00:18:53,280
outcome story.

379
00:18:53,280 --> 00:18:57,400
That's how the offer stops looking like rented expertise and starts looking like operational

380
00:18:57,400 --> 00:19:00,160
assurance the company can build decisions on.

381
00:19:00,160 --> 00:19:04,200
So stop pitching manage security as protection spend, because what you're really selling is

382
00:19:04,200 --> 00:19:09,120
safer growth, better decision speed, lower exposed revenue, and more confidence when the business

383
00:19:09,120 --> 00:19:10,880
wants to move.

384
00:19:10,880 --> 00:19:15,520
Take your current offer, rewrite it on one page, use one risk formula, attach one continuity

385
00:19:15,520 --> 00:19:19,400
metric, and test that version in your next board or client conversation.

386
00:19:19,400 --> 00:19:23,840
If this changed how you frame security, subscribe to M365FM, connect with me, Mercopeter's

387
00:19:23,840 --> 00:19:27,840
on LinkedIn, and send me the next Microsoft or security topic you want unpacked.