[Originally published in 2023, updated March 2025 with new insights and examples]

The Security Value Problem

If you work in cybersecurity, this scenario probably sounds familiar:

Budget season arrives. Your CISO needs to defend last year’s security investments and make the case for new ones. Despite all the threats you’ve prevented and vulnerabilities you’ve patched, translating that work into business value feels like climbing a mountain with a backpack full of technical jargon.

It’s 2025, and we’re still struggling with the same challenge: proving that cybersecurity is worth the investment.

Introducing Mean Time to Justify Value (MTTJV)

I propose a practical metric called Mean Time to Justify Value (MTTJV) – the time it takes for a security team to gather evidence and tell a compelling story about a security tool’s business value.

What makes MTTJV powerful is its focus on communication, not just metrics. It measures how quickly you can answer the question: “What are we getting for all this security spend?”

What MTTJV Measures

MTTJV looks at four key timeframes:

1. Data Collection Time: How long it takes to gather relevant security data
2. Analysis Time: How quickly you can transform technical metrics into business terms
3. Reporting Time: How efficiently you can create materials for executives
4. Alignment Time: How fast you can connect security outcomes to specific business goals

MTTJV in Real Life: The Tale of Two CISOs

Let’s see how this plays out with two fictional CISOs preparing for their annual budget reviews:

Sarah at Retail Co.

Sarah invested in a new endpoint protection platform last year. When asked to justify its value:

• Data Collection: 3 weeks spent manually extracting data from multiple dashboards
• Analysis: 2 weeks creating spreadsheets to calculate potential impact
• Reporting: 1 week building a custom presentation from scratch
• Alignment: 2 weeks getting feedback from business units on their security priorities

Total MTTJV: 8 weeks

By the time Sarah presents to the CFO, budget decisions are nearly finalized. Her detailed technical metrics (threats blocked, vulnerabilities patched) don’t translate well to business impact. The CFO sees little connection between the tool and business objectives.

Result: Budget cut by 15%

Miguel at Finance Co.

Miguel also implemented new endpoint protection. When budget season arrives:

• Data Collection: 2 days using the solution’s built-in executive dashboard
• Analysis: 1 week applying the company’s existing risk valuation model
• Reporting: 2 days customizing a template provided by the vendor
• Alignment: 1 week collaborating with business leaders using a shared value framework

Total MTTJV: 2.5 weeks

Miguel presents early in the budget cycle with clear business metrics: productivity hours saved, compliance requirements met, and risk reduction quantified in financial terms. His presentation directly ties security outcomes to the company’s strategic initiatives.

Result: Budget approved with 5% increase for expanded capabilities

The MTTJV Difference

The key difference? Miguel’s security tool was designed with value demonstration in mind, and his team had frameworks ready to translate security metrics into business impact.

Practical Ways to Reduce Your MTTJV

For Security Teams

1. Create a Value Translation Guide: Map specific security metrics to business outcomes your executives care about
2. Develop Value Templates: Build reusable presentations and reports for recurring budget conversations
3. Establish Business Partnerships: Regularly check in with business units to understand their security priorities
4. Practice Telling Value Stories: Get comfortable explaining security in non-technical terms

For Security Vendors

1. Build Executive Dashboards: Create business-focused views that complement technical dashboards
2. Provide ROI Frameworks: Offer templates and methodologies customers can adapt
3. Include Benchmark Data: Show how customers compare to industry peers
4. Create Value Accelerators: Develop tools that automatically translate technical metrics to business terms

The Role of AI in Improving MTTJV

AI can significantly reduce MTTJV by:

• Automatically analyzing security data for business impact
• Generating customized reports for different stakeholders
• Predicting future value based on current security posture
• Translating technical metrics into business language

The key is using AI to enhance human judgment, not replace the critical thinking needed to connect security to business value.

A Balanced Approach to MTTJV

The best security value demonstrations balance:

• Hard numbers with compelling stories
• Technical achievements with business outcomes
• Threat prevention with business enablement
• Cost avoidance with competitive advantage

Start Your MTTJV Journey

Begin by asking these questions:

1. How long would it take your team to fully justify the value of your most expensive security tool?
2. What steps in that process consume the most time?
3. Which security investments are easiest to justify to business leaders? Why?
4. How might you reduce your MTTJV by 50% in the next budget cycle?

The security teams and vendors that thrive in 2025 and beyond will be those that master the art and science of quickly demonstrating business value. By focusing on reducing your Mean Time to Justify Value, you’ll not only protect your security budget – you’ll elevate security’s role from cost center to business enabler.