I have a vision for the security industry. I see a future where the chief information security officer (CISO) sits beside the CFO and CEO at the boardroom table. Like the CFO, the CISO is a valued strategic contributor who plays a critical role in the company’s success and is equally involved in day-to-day business decisions.

Admittedly, this isn’t a unique vision — the security industry has advocated for a seat at the executive table for at least the last decade. For all our talk, however, we haven’t made much progress. A CISO in the boardroom is still an odd occurrence. If we’re going to change that, CISOs need to change the way they think and interact with businesses. They only have to look as far as the CFO to see how it’s done.

The chief financial officer is a relatively new role. Even 30 years ago, it was rare to find a company with a CFO. Fast-forward to today, and it’s rare to find a company without one. Not only do CFOs have a seat at the table, but they’re often on the succession plan for the CEO. The position has matured from being nonexistent to becoming a successor in three decades.

It’s easy to see the value of a CFO. They own the revenue piece of the company. But most importantly, they enable revenue to be articulated. The CFO has the benefit of dealing in dollars and cents (hard numbers). Modern software leverages Dow Jones Industrial-type charts that graphically portray projections and expectations for the sector. As a result, financials are clearly articulated for everyone to understand.

Therein lies the difference between the CFO and most CISOs: Whereas CFOs can articulate the current and future state of revenue in quantitative terms, most CISOs can only speak about risk in qualitative terms that lack context and metrics.

When asked about their company’s risk posture, many CISOs will provide a vague descriptor: high/medium/low or red/yellow/green. These qualitative measurements mean nothing to the board. Furthermore, they don’t allow CISOs to articulate the quantitative impact of investments on risk. The CISO might tell the board the cyber risk level is yellow and request $1 million as part of a budget increase. The board obviously wants to know what risk will look like as a result, but the best the CISO can do is say that it will still be yellow. When will cyber risk for an organization ever be not yellow, anyway?

As long as security continues to operate based on qualitative metrics with no quantification, it won’t be perceived as a mature field. If you think about it, no other part of the business can get away with that. CISOs need to figure out a way to have a more mature conversation so that they can be more confident about how they describe and discuss risk.

One place to begin is by taking cyber risk and viewing the impact in terms of dollars. Risk itself can be a qualitative measure, but the impact around an incident — the cost of a downed asset associated with lost revenue, recovery, etc. — can be quantitative. The good news is we already know those figures. The CISO just needs to take ownership of them.