Short introductionMeet Dominic Jainy, a seasoned IT professional whose expertise spans artificial intelligence, machine learning, and blockchain. With a passion for leveraging cutting-edge technologies across industries, Dominic brings a unique perspective to the world of cybersecurity leadership. In this interview, we dive into the challenges of securing budget approval for cybersecurity initiatives, the art of translating technical risks into business language, and the strategies for aligning security with organizational goals. From navigating boardroom dynamics to staying ahead of evolving threats, Dominic shares actionable insights for turning security into a business enabler.
How do you see the biggest challenges playing out when trying to secure budget approval for cybersecurity programs?
One of the toughest challenges is overcoming the perception that cybersecurity is just an IT cost rather than a business necessity. Often, you’re up against competing priorities like marketing or product development, which seem to promise more immediate returns. I’ve found that many executives don’t fully grasp the potential fallout of a breach until it’s framed in terms of revenue loss or reputational damage. It’s about shifting that mindset, showing that a breach isn’t just a tech glitch—it could derail the entire business. Another hurdle is the lack of tangible metrics; security is often about preventing something that hasn’t happened yet, which makes it hard to justify spending without hard data.
Why do you think cybersecurity sometimes gets pushed down the priority list during budget talks?
It often comes down to visibility and urgency. Other departments can point to direct outcomes—like a sales team showing increased revenue or a product team launching a new feature. Security, on the other hand, operates in the background. If nothing bad has happened recently, it’s easy for leadership to think, “We’re fine, why spend more?” There’s also a bit of fatigue around cyber threats; executives hear about breaches in the news so often that it can start to feel like white noise. Without a clear, recent example of risk in their own context, it’s tough to keep security at the forefront of budget discussions.
How do you ensure that the board views cybersecurity as a business risk rather than just a technical issue?
It starts with speaking their language. I focus on the business impacts—things like how a breach could disrupt operations, lead to regulatory fines, or tank customer trust. I’ve learned to tie security risks to specific business goals, like protecting a new product launch or ensuring uptime during peak sales periods. For instance, I once presented a scenario where a ransomware attack could halt a critical system, costing millions in downtime. By framing it as a direct threat to revenue, the board immediately saw it as their problem, not just IT’s. It’s also about consistency; I make sure security is a regular agenda item, not just a reaction to a crisis.
What strategies do you use to connect security needs to broader business objectives?
I always start by understanding the company’s top priorities—whether it’s expanding into new markets, launching a product, or maintaining compliance. Then, I map out how security supports those goals. For example, if we’re rolling out a new cloud-based system, I’ll highlight how specific security controls protect that investment and ensure a smooth launch. I also use metrics like time to detect or remediate threats to show how security directly contributes to uptime or customer trust. It’s about positioning security as a partner to growth, not a roadblock. That alignment makes it much easier to get buy-in from leadership.
Can you share an example of a time you linked a security initiative to a specific business project?
Absolutely. A few years back, my organization was undergoing a major merger, which meant integrating systems and data from two very different environments. I worked closely with the project team to identify potential risks, like data leaks during the transition. I proposed a security validation tool to test for vulnerabilities before, during, and after the integration. By showing how this tool would protect sensitive customer information and prevent delays in the merger timeline, I got the budget approved quickly. The initiative not only secured the project but also built trust with leadership—they saw security as a critical piece of the puzzle.
How do you quantify risk in a way that resonates with non-technical executives?
I focus on translating risk into dollars and cents. For instance, I’ll calculate the potential cost of a breach—factoring in downtime, fines, legal fees, and lost business—and present that alongside the cost of prevention. I once worked with a team to estimate that a data breach could cost us upwards of $5 million based on industry benchmarks and our own data. When you put a number like that in front of the board, it cuts through the technical jargon. I also use real-world examples, like breaches in similar industries, to make the threat feel immediate. It’s about making the invisible visible in terms they can’t ignore.
What role do industry standards play in strengthening your case for cybersecurity funding?
Industry standards like NIST or ISO 27001 are incredibly helpful because they provide a recognized benchmark. I use them to show that we’re not just making up priorities—these are best practices that regulators and peers expect. For example, I’ve referenced compliance requirements to justify investments in specific controls, like encryption or access management. But I’m careful to emphasize that meeting a standard isn’t the endgame; it’s a starting point. I’ll pair those standards with real-world testing data to show where we’re still exposed. That combination of credibility and evidence makes a strong case for additional resources.
How do you balance the demands of compliance with the need to address actual, evolving threats?
Compliance is a box to check, but it’s not a shield. I treat it as a baseline—something we must achieve—but I’m always looking beyond it to the real risks. For instance, a compliance framework might require annual audits, but threats like ransomware don’t wait for your audit cycle. So, I advocate for continuous testing and validation to catch issues in real time. I’ve found that explaining this gap to leadership—how compliance keeps us legal but not necessarily safe—helps justify budget for proactive measures. It’s about showing that we’re not just following rules; we’re staying ahead of attackers.
What’s your approach to demonstrating the return on investment for security spending?
ROI in security isn’t always about profit—it’s about loss prevention. I focus on what we’re avoiding: downtime, penalties, lawsuits, and brand damage. I use data from automated tools to show early wins, like identifying a critical misconfiguration before it’s exploited. For example, I’ve presented reports showing how quickly we remediated a vulnerability and what the potential cost would have been if it had been exploited. I also tie spending to business enablers, like how a secure environment supports a new market expansion. By framing it as protection and opportunity, I help leadership see security as an investment, not just an expense.
What’s your forecast for the future of cybersecurity budget conversations in the coming years?
I think we’re going to see a shift toward more proactive and evidence-based discussions. As cyber threats become even more sophisticated, boards will demand clearer metrics and real-time data to justify spending. Continuous validation and automated testing will become non-negotiable, as they provide the hard evidence leadership needs to feel confident in their decisions. I also expect security to be increasingly tied to business growth—think securing digital transformation or AI-driven initiatives. The conversation will move from “How much do we have to spend?” to “How does this investment position us for the future?” That’s an exciting evolution, and it’s up to security leaders to drive it.