Aligning Security with Strategy

A regional auto finance company had long recognized the importance of cybersecurity, but its use of Metrics That Matter® (MTM®) had been limited to compliance and reporting. By early 2024, the company’s leadership set a higher bar: align cybersecurity spending with business objectives, demonstrate Return on Security Investment (ROSI), and reduce residual risk in meaningful, measurable ways.

With a lean security team and under a billion dollars in annual revenue, the stakes were high. Every dollar spent on security needed to deliver impact – not just on paper, but in real risk reduction tied to business outcomes.

While the company had a solid foundation in security, it lacked a clear, quantifiable way to connect security initiatives to business goals or justify future investments. Without visibility into where risk truly resided or how security spending translated into value, leadership couldn’t prioritize initiatives with confidence.

What they needed was a strategic framework: one that would illuminate where gaps existed, where dollars would matter most, and how to communicate those choices in business terms.

Consortium helped our client take the next step by becoming the first to sign an MTM Managed agreement. In an intensive onboarding process, the team refreshed the MTM environment and identified key focus areas.

What emerged was a clear, actionable plan. Out of ten potential initiatives, Consortium and the client prioritized four that would deliver the greatest impact:

• Cloud security
• Data management and classification
• Offensive security / penetration testing
• Network detection and response

MTM provided visibility into gaps and quantified the potential risk reduction of each project in financial terms. One proof-of-value exercise uncovered unencrypted sensitive data – giving the client critical insight into regulatory exposure and a clear path to remediation.

Auto Lenders gained what it had been missing: a strategic, data-driven cybersecurity roadmap. The prioritized initiatives represented approximately $1 million in capital spend with an expected $3.5 million reduction in residual risk – a compelling case for investment that resonated with leadership.

The company has already signed on for offensive security testing, with other projects moving forward through evaluation and planning stages. Beyond individual initiatives, MTM is now helping guide their security program on an ongoing basis – turning data into direction, and direction into defensible decisions.