[Originally published in 2023, revised & updated March 2025 with new insights and examples]
If you work in cybersecurity, this scenario probably sounds familiar:
Budget season arrives. Your CISO needs to defend last year’s security investments and make the case for new ones. Despite all the threats you’ve prevented and vulnerabilities you’ve patched, translating that work into business value feels like climbing a mountain with a backpack full of technical jargon.
It’s 2025, and we’re still struggling with the same challenge: proving that cybersecurity is worth the investment.
Introducing Mean Time to Justify Value (MTTJV)
I propose a practical metric called Mean Time to Justify Value (MTTJV) – the time it takes for a security team to gather evidence and tell a compelling story about a security tool’s business value.
What makes MTTJV powerful is its focus on communication, not just metrics. It measures how quickly you can answer the question:
“What are we getting for all this security spend?”
What MTTJV Measures
MTTJV focuses on four key timeframes:
- Data Collection Time – How long it takes to gather relevant security data
- Analysis Time – How quickly you can transform technical metrics into business terms
- Reporting Time – How efficiently you can create materials for executives
- Alignment Time – How fast you can connect security outcomes to specific business goals
MTTJV in Action: A Tale of Two CISOs
Let’s compare how two CISOs prepare for their annual budget reviews.
Sarah at Retail Co.
Sarah invested in a new endpoint protection platform last year. When asked to justify its value, her team scrambled:
| Step | Sarah (Retail Co.) |
| Data Collection | 3 weeks (manual extraction from multiple dashboards) |
| Analysis | 2 weeks (spreadsheets to calculate potential impact) |
| Reporting | 1 week (building a custom presentation from scratch) |
| Alignment | 2 weeks (getting feedback from business units) |
| Total MTTJV | 8 weeks |
By the time Sarah presents to the CFO, budget decisions are nearly finalized. Despite detailed technical metrics (threats blocked, vulnerabilities patched), they don’t translate well into business impact.
🔻 Result: Budget cut by 15%.
Miguel at Finance Co.
Miguel also implemented endpoint protection, but his approach was different:
| Step | Miguel (Finance Co.) |
| Data Collection | 2 days (solution’s built-in executive dashboard) |
| Analysis | 1 week (using the company’s risk valuation model) |
| Reporting | 2 days (customizing a vendor-provided template) |
| Alignment | 1 week (collaborating with business leaders using a shared value framework) |
| Total MTTJV | 2.5 weeks |
Miguel presents early in the budget cycle with clear business metrics: productivity hours saved, compliance requirements met, and risk reduction quantified in financial terms.
✅ Result: Budget approved with a 5% increase for expanded capabilities.
The MTTJV Difference
The key difference?
Miguel’s security tool was designed with value demonstration in mind, and his team had frameworks ready to translate security metrics into business impact.
Practical Ways to Reduce Your MTTJV
For Security Teams
✅ Create a Value Translation Guide – Map security metrics to business outcomes executives care about
✅ Develop Value Templates – Build reusable reports for recurring budget conversations
✅ Establish Business Partnerships – Regularly check in with business units to align on security priorities
✅ Practice Telling Value Stories – Get comfortable explaining security in non-technical terms
For Security Vendors
✅ Build Executive Dashboards – Create business-focused views that complement technical dashboards
✅ Provide ROI Frameworks – Offer adaptable templates and methodologies
✅ Include Benchmark Data – Show how customers compare to industry peers
✅ Create Value Accelerators – Develop tools that automatically translate technical metrics into business terms
The Role of AI in Improving MTTJV
AI can significantly reduce MTTJV by:
🤖 Automating security data analysis for business impact
📊 Generating customized reports for different stakeholders
🔮 Predicting future value based on current security posture
🗣️ Translating technical metrics into business language
The key is using AI to enhance human judgment, not replace the critical thinking needed to connect security to business value.
A Balanced Approach to MTTJV
The best security value demonstrations balance:
⚖️ Hard numbers with compelling stories
🔒 Technical achievements with business outcomes
🛡️ Threat prevention with business enablement
💰 Cost avoidance with competitive advantage
Start Your MTTJV Journey
Ask yourself:
📌 How long would it take your team to fully justify the value of your most expensive security tool?
📌 What steps in that process consume the most time?
📌 Which security investments are easiest to justify to business leaders? Why?
📌 How might you reduce your MTTJV by 50% in the next budget cycle?
The security teams and vendors that thrive in 2025 and beyond will be those that master the art and science of quickly demonstrating business value.
By focusing on reducing your Mean Time to Justify Value (MTTJV), you’ll not only protect your security budget – you’ll elevate security’s role from cost center to business enabler.