TBM for Cybersecurity & Enterprise Risk Management

The Rising Importance of Risk-Informed Technology Management

Organizations today operate within an expanding landscape of risk—cyberattacks, regulatory shifts, financial uncertainty, and operational disruptions are becoming more frequent and costly. In 2023 alone, the global average cost of a data breach reached $4.45 million, according to IBM’s Cost of a Data Breach Report 2023. Cyber-risk, once considered a specialized IT issue, is now central to enterprise strategy.

Yet addressing these risks often comes with tradeoffs. Risk mitigation can increase the total cost of ownership (TCO) for IT services and reduce the speed or convenience of digital experiences. At the same time, many organizations lack mature, enterprise-wide risk management frameworks to assess, prioritize, and communicate these tradeoffs.

A 2023 study by North Carolina State University found that 34% of organizations have no enterprise-wide risk management process, 32% have a partial process, and only 34% have a complete, formal ERM process in place (NCSU 2023 Risk Oversight Report).

Technology Business Management (TBM) brings financial and operational clarity to cybersecurity and enterprise risk strategies, empowering better decisions about where and how to invest in protection, compliance, and resilience.

Cybersecurity Through a TBM Lens

Cybersecurity is not only a technical function—it’s a financial and strategic one. TBM provides a structured, data-driven way to model the costs of cybersecurity initiatives, measure the value of risk mitigation, and align security investments with business priorities.

According to the World Economic Forum’s Global Cybersecurity Outlook 2022, 55% of organizations have been affected by a third-party cyber incident in the past two years (WEF Global Cybersecurity Outlook 2022). These events often create ripple effects across the enterprise, reinforcing the need for proactive, risk-aware investment strategies.

When integrated with cybersecurity standards such as the NIST Cybersecurity Framework (CSF), TBM helps organizations:

  • Model the cost of achieving different cyber-risk profiles (e.g., high, medium, low)
  • Allocate cybersecurity spend across applications, services, and departments
  • Justify new investments and track return on investment (ROI) over time
  • Improve communication with executives and boards
  • Benchmark cybersecurity spending against industry norms

     

Through the TBM Taxonomy, organizations can assign risk attributes to services and associate those attributes with costs, enabling clearer visibility into the financial impact of different security strategies.

TBM and NIST Integration

The TBM Council has partnered with the National Institute of Standards and Technology (NIST) to align the TBM Taxonomy with the NIST Cybersecurity Framework. This integration enables organizations to:

  • Tag services and applications with a cybersecurity risk profile
  • Cost-model the controls needed to reduce risk in line with business objectives
  • Budget for improvements across the five CSF functions: Identify, Protect, Detect, Respond, and Recover
  • Build shared accountability by linking cost transparency with risk transparency

With this integration, technology, finance, and cybersecurity leaders can collaborate around a unified view of risk-adjusted value.

To learn more, download the TBM Taxonomy & NIST white paper.

Enterprise Risk Management with TBM

Beyond cybersecurity, TBM provides capabilities that support Enterprise Risk Management (ERM) across the organization. Whether following COSO ERM, ISO 31000, or another framework, TBM enhances risk identification, assessment, response, and monitoring by illuminating the cost and performance of risk-related technology services.

The NCSU 2023 Risk Oversight Report found that while 62% of organizations formally consider IT-related risks, only 53% consider financial reporting and investment risks, and 60% consider legal, regulatory, and compliance risks—revealing inconsistency in enterprise-level risk modeling and mitigation.

With TBM, organizations can:

  • Evaluate the cost of compliance with regulatory or contractual requirements
  • Align financial impact assessments with mitigation costs
  • Benchmark ERM spending across business units or industry peers
  • Identify and distribute shared costs of risk-reduction investments
  • Generate risk-related KPIs tied to technology and financial data
  • Track the ROI of risk mitigation and resilience-building efforts

TBM also enables the creation of dedicated services, such as “Compliance” or “Cybersecurity Protection,” with full TCO, enabling ERM leaders to better plan and budget for risk-based programs.

Use Cases and Capabilities

TBM Capability

Purpose

Risk-Based Cost Modeling

Associate risk profiles with services to evaluate mitigation strategies and their costs

Budget Allocation Support

Justify risk-based investment through clear, cross-functional modeling

Shared Cost Distribution

Allocate costs of shared risk controls (e.g., zero-trust, encryption) across beneficiaries

Performance & ROI Tracking

Measure the impact of risk reduction and compliance initiatives

Risk-Informed Planning

Support forward-looking decisions with cost and performance forecasts

Monitoring & Metrics

Generate outputs that support continuous risk monitoring under COSO or NIST

TBM as a Foundation for Risk-Informed Governance

By uniting financial transparency with risk management, TBM enables a more proactive and informed approach to technology governance. Whether your organization is implementing a cybersecurity program, maturing its ERM function, or preparing for new compliance obligations, TBM offers the visibility, structure, and flexibility to support smarter investment.

For guidance on how TBM and FinOps combine to support smarter, risk-informed financial governance, explore TBM & FinOps: A Guide or visit our FinOps page for more information.

Looking to go deeper? Download the TBM Taxonomy and NIST whitepaper to explore this topic further, or download the related data tables to begin managing your risks today.

While you’re here, join the TBM Council to connect with peers and stay updated on all things TBM. Explore our communities to see how others are tackling similar challenges, or check out our Knowledge Base for frameworks, case studies, and how-to guidance. Learn more about the TBM Framework and how it supports smarter decision-making across IT and Finance. You can also attend an upcoming event, pursue training or certification, or see how our partners are contributing to this area of TBM practice.

Join the TBM community: where innovators and leaders converge

The TBM Council is your gateway to a treasure trove of knowledge: think cutting-edge research papers, insightful case studies, and vibrant community forums where you can exchange ideas, tackle challenges, and celebrate successes with fellow practitioners.

We’re calling on organizations and forward-thinking individuals to dive into the TBM community. Participate in our events, engage in our discussions, and tap into a vast reservoir of knowledge. This isn’t just about networking; it’s about contributing to and benefiting from the collective wisdom in navigating the dynamic world of cloud computing.

Red Hat built the world’s largest enterprise open-source software company, growing into a multi-billion-dollar firm before being acquired by IBM Corp. This open-source heritage often placed the value of technology in the product and engineering realm rather than with IT. Thus, not surprisingly, Red Hat’s TBM journey started with a new CFO wanting to know why IT costs were so high. Through the TBM framework and discipline, Red Hat IT successfully delivered cost transparency of all IT spend and then became a model for technology spend planning and forecasting. The IT team added the FinOps discipline to its capabilities and is now managing a broad hybrid cloud portfolio. However, TBM and FinOps have remained in the realm of IT only, until now. Red Hat’s current CIO, Jim Palermo, is driving TBM, FinOps, and Enterprise Agile Management across the company based on IT’s success and through the lens of value stream management. in this session, Jim will walk through Red Hat’s TBM journey and its current transformation to an operational business architecture framework built on value streams aligned to business outcomes.


Speaker:

  • Jim Palermo, VP, CIO, Red Hat

When the team at Tenet Healthcare made the decision to move towards a model that provided more accurate financial transparency, they looked to TBM practices and solutions. Join Paola Arbour, EVP and CIO at Tenet healthcare as she answers the question “why TBM?”, including what Tenet was trying to solve with the TBM Taxonomy, the effectiveness of their KPIs, and how building support and momentum across the entire company was critical to their successful TBM adoption. In this session, Paola will also share how Tenet continues to evolve their use of TBM, including for mergers, acquisitions, and divestiture activity, as well as segmenting cost structures.


Speaker:

  • Paola Arbour, EVP & CIO, Tenet Healthcare

Data driven decision making has been a key to longevity and delivering best in class service to State Farm’s customers over the past 100 years. Recently, State Farm decided to use a managed services company for the day-to-day support of their Infrastructure Services. Today’s technology leaders need to be able to make real-time, informed decisions to help ensure technology investments are meeting their customer’s needs, while continuing to support company long-term goals. Ashley Pettit, SVP & CIO at State Farm, will be joined by Randy McBeath, Enterprise Technology Executive, and Andy Moore, Technology Director, and together they will share how TBM aided in State Farm’s analysis and decision to move to a managed service provider.


Speakers:

  • Ashley Pettit, SVP & CIO, State Farm Insurance
  • Andy Moore, Technology Director, State Farm Insurance
  • Randy McBeath, Enterprise Technology Executive, State Farm Insurance

There is fast evolution occurring in the overall technology spend and value management market, with the advancements of cloud, Kubernetes, AI/ML, and other innovations. At the same time, we are seeing vast changes in the roles of the CIO, CFO, and business/digital leadership. In addition, TBM is intersecting with other disciplines and frameworks, such as Cloud FinOps, Agile engineering, and portfolio resource management. How is this affecting the TBM discipline, the TBM Council, and Apptio? For one, TBM is moving down market, becoming more accessible to all sizes and maturity of organizations, with easier ways to get started and a faster time to value. Cloud FinOps, meanwhile, is advancing and adding capabilities previously in TBM to the cloud cost management space. Join Apptio CEO Sunny Gupta as he explores the evolving TBM landscape and how he believes it will bring even greater opportunity and value to organizations worldwide.


Speaker:

  • Sunny Gupta, Co-Founder & CEO, Apptio

In today’s challenging economic times it is critical that CFOs, CIOs, and CTOs speak the same language when it comes to the value of technology spend. Having a single source of truth that everyone can feel confident in, track progress continuously throughout the year with shared insights, and analyzing options for resourcing and funding in order to reduce waste is where TBM deepens their partnership. In this discussion, join members of the TBM Council Board of Directors as they discuss the pivotal conversations and steps taken to collectively adopt TBM practices across the organization, including responding to naysayers and gaining allies.


Panelists:

  • George Maddaloni, EVP, CTO, Operations, Mastercard
  • Laura Walsh, CIO, Smithfield Foods
  • RJ Hazra, SVP & CFO, Technology & Security, Equifax
  • Moderated by Chad Doiran, Managing Director, Tech. Strategy & Advisory, Accenture

Fumbi Chima has led technology teams across multiple organizations throughout her esteemed career, including retail, manufacturing, media, and financial services. As a turnaround and high growth leader, Fumbi has leveraged TBM as a foundational practice to bring repeatable processes, purchasing guidelines, and cost/resource savings. Now at Boeing Employe Credit Union (BECU) serving more than 1.2 million members, Fumbi is driving their digital transformation with a clear vision and strategy to optimize their public-cloud with TBM and Cloud-FinOps, adopt a product model, and set the groundwork for future innovation and growth. Join Fumbi and Larry Blasko, President, Field Operations at Apptio, as they discuss the lessons Fumbi has learned along her TBM journey, and where this transformation leader sees the evolution of TBM taking the Technology industry.


Speakers:

  • Fumbi Chima, Chief Technology & Transformation Officer, BECU
  • Larry Blasko, President, Field Operations, Apptio

Technology leaders have a unique opportunity to transform their organizations into environmental champions with sustainable business practices. In this session, Neal Ramasamy, CIO at Cognizant and Phil Alfano, Field CTO at Apptio will share how TBM can be leveraged to achieve comprehensive visibility into real-time data-driven tracking to ensure company goals and actions are being met to achieve a sustainable future.


Speakers:

  • Neal Ramasamy, CIO, Cognizant
  • Phil Alfano, Field CTO, Apptio

For McGraw Hill, having a transparent framework that drives smart investment strategies and a common language across this 135-year-old company is critical. Known as one of the “big three” education publishers, McGraw Hill must stay ahead of their competitors with innovation and value delivery. Join Yuliya Oberman, Finance Director for McGraw Hill Education and Eileen Wade, General Manager of the TBM Council as they discuss how TBM is essential to McGraw Hill’s enterprise resource strategies and digital transformation journey.


Speakers:

  • Yuliya Oberman, Finance Director, McGraw Hill Education
  • Eileen Wade, General Manager, TBM Council

In this fireside chat, Matt Yanchyshyn, GM, AWS Marketplace & Partner Engineer at AWS will join incoming General Manager of the TBM Council, Jack Bischof, for a discussion on best practices for building successful TBM practices focused on cloud financial management. Including a deep dive into the nuances, learnings, and milestones that the world’s 9th largest insurance company is achieving on their Cloud FinOps journey.


Speakers:

  • Matt Yanchyshyn, GM, AWS Marketplace & Partner Engineering, AWS
  • Jack Bischof, Incoming General Manager, TBM Council

Hear from Ajay Patel, COO at Apptio and Zubin Irani, CEO at Cprime as they discuss how the intersection of TBM and enterprise agile planning is a critical strategy for organizations to adopt if they want to drive business growth more efficiently, in real-time, and keep up with the speed of change that today’s organizations face.


Speakers:

  • Ajay Patel, COO, Apptio
  • Zubin Irani, CEO, Cprime

Join Origin Energy’s Adrian Thivy, GM, Enterprise Technology Services, as he shares how TBM is creating complete confidence in their spend-to-value ratios across IT and the broader company, allowing a rapid response to the market forces driving significant pressure on the “cost to serve” customers. A finalist for the 2022 TBM Council Award for TBM Pacesetter, hear how their TBM practice was built in record time, including lessons learned as they developed business capabilities and managed a significant cloud migration and transformation.  

Session topics will include:  

  • Establishing a clear purpose and common goals that drive cross-functional understanding
  • Utilizing an adaptative governance framework to ensure accountability across all stakeholders 
  • Leveraging TBM and ServiceNow CSDM to deliver a transparent, flexible, and sustainable model in a shorter time frame
  • How bespoke logic has dramatically improved transparency of cost more than 90%


Presented by:

  • Adrian Thivy, GM, Enterprise Technology Services, Origin Energy 

Many organizations aspire for a cloud-native posture, however few have the time, resources and budget to transform into 100% public cloud operations. Equifax has broken through those barriers to modernize its infrastructure globally — driving faster innovation for customers, more business agility, and stronger cybersecurity. Hear from Manav Doshi, GM, Technology Solutions on how the Equifax team is rebuilding a century-old company, with a real-time approach to optimizing cost and revenue growth in the cloud.

 

Presented by:

  • Manav Doshi, GM, Technology Solutions, Equifax 

Transport for NSW is the winner of the 2022 TBM Council Award for TBM Pacesetter, which recognizes significant progress and value with TBM in a relatively short period of time. In this session, hear how the merger of Roads and Maritime Services (RMS) and Transport for New South Wales resulted in the fastest consolidation of TBM data, models, and reports into a single TBM practice. Hear from Poonam Kataria, Sr. Manager of TBM, as she shares how TBM is driving Transport’s three key strategic outcomes: connecting a customer’s whole life; successful places for communities; and enabling economic activity.

Session topics will include: 

  • Utilizing the TBM Taxonomy to align M&A practices and drive behavioural change 
  • How the right level of support sets the right culture and TBM processes
  • Driving change in the organization based on data-driven facts

Presented by: 

  • Poonam Kataria, Sr. Manager, TBM, Transport for NSW 

Discuss how TBM supports visibility of investments across the enterprise to support setting best practices and standards for managing the impact of environmental, societal, and governance strategies by IT departments and organizations.

The TBM Council Standards Committee has built out TBM integration models with other IT disciplines, including Enterprise Agile and Product Thinking, as well as ServiceNow CSDM. Current findings will be shared to drive group discussion, experience, and feedback. 

Public cloud strategies are often embraced for the promise of rapid scalability, on-demand agility, and best-in-class security, resiliency, and features. However, public cloud adoption presents significant financial challenges that, when not addressed, inhibit any firm’s ability to exploit the promises of public cloud.  

To address these challenges, customers need to simultaneously resolve current inefficiencies and build capability to ensure avoidance of waste in the long term.  

In this session we discuss a detailed framework combining TBM-Cloud with FinOps, allowing customers to understand how to implement a program to overcome these challenges and financially succeed in the cloud. 

Session discussion topics include: 

  • A detailed view of the activities required to implement a TBM-Cloud with FinOps Journey 
  • Detail the flow of information required for each task 
  • Provide guidance on which activities should be performed when

 

Presented by:

  • Nathan Besh, TBM-Cloud Evangelist, TBM Council 

Project to Product Transition

Outcome-focused development via agile transformation

For organizations looking to transition from projects to products, TBM can help organize resources and outcomes into value streams – the specific sets of activities that align to business outcomes.

Accelerating Cloud Adoption

Drive measurable outcomes with your cloud strategy

For organizations trying to accelerate their cloud journey, TBM provides a way to map a plan and measure the outcomes from cloud migration to cloud cost management to cloud optimization.

Morning Sessions

A look back at 10 years of TBM leadership and community building.


Speaker:

  • Ashley Pettit, SVP & CIO, State Farm Insurance

Introduced more than 10 years ago, Technology Business Management (TBM) was born out of the need for CIOs to have a management system to drive their technology operating strategy. At its core, the TBM discipline gives visibility into technology spend to provide common ground and enable a collaborative partnership across teams for prioritizing resources and achieving business outcomes. In this session, the TBM Council Standards Committee Chair, Atticus Tyson will share how over the past few years TBM has evolved to ensure leaders are able to accelerate digital initiatives, embrace the cloud, and communicate today’s complex technology landscape. TBM enables organizations to frequently and quickly evaluate projects, platforms, and investments to address the needs of the modern enterprise.


Speaker:

  • Atticus Tysen, SVP Product Development, Chief Information Security & Fraud Prevention Officer, Intuit

Atticus Tyson and Phil Alfano will guide the group through an executive discussion to capture “What is digital success to you?”. Is it how your organization creates new business capabilities? The elimination of legacy processes and systems? Funding innovation? Or all of the above as long as it drives an improved customer experience? Discuss with your table mates, as an overall group, and capture learnings and takeaways to bring back to your own team.


Speakers:

  • Atticus Tyson, SVP Product Development, Chief Information Security & Fraud Prevention Officer, Intuit
  • Phil Alfano, Field CTO, Apptio

How does a 170-year-old financial institution deliver a new, fully modernized technology strategy while supporting 24×7 service to their customers across a multitude of platforms, including point-of-sale, mobile, and web services? Mike Brady, Nicole Holmes, and Chad Schmidt will share how at Wells Fargo, they are creating a Technology Infrastructure team founded in the TBM discipline and responsible for aligning with internal partners to adopt an automation first approach for accelerating the delivery of services and deploying enhancements at speed. All while remaining compliant, secure, and agile.


Speakers:

  • Mike Brady, EVP, Technology Infrastructure, Wells Fargo
  • Nicole Holmes, EVP, CFO for Technology, Wells Fargo
  • Chad Schmidt, SVP, Technology Finance Modernization, Wells Fargo

It’s been two years since the World Health Organization declared Covid-19 a global pandemic. To re-imagine employee and customer experiences, every company was forced to speed up their shift to digital from multi-year project plans to instead creating, executing, and delivering new business models in a matter of weeks. As we emerge from this crisis, we recognize this shift is not slowing down but exponentially increasing as businesses continue to respond to societal expectations of anytime, anywhere. In this session, Sunny Gupta will share how the companies best positioned to quickly respond to changing market conditions and hyper competition have a holistic view of their technology spend so they can be agile in their investment decisions, use the cloud as a competitive advantage, and align their resources to product delivery models and continuously measure value.


Speaker:

  • Sunny Gupta, Co-Founder & CEO, Apptio

Afternoon Sessions

Spinning up a cloud-native posture is a desired strategy for many organizations, however few have the time, resources, and budget to achieve 100% public cloud operations. In 2018, Equifax set a 5-year goal to achieve this, striving to provide their customers with faster innovation, more flexible business agility, and stronger cybersecurity. Hear from RJ Hazra, SVP & CFO, Technology on the lessons and successes the Equifax team has found along their journey, and what remains as they cross into their final year of their company-wide digital transformation.


Speaker:

  • RJ Hazra, SVP & CFO, Technology & Security, Equifax

The cloud is a significant shift in computing and companies need to get maximum value from it. FinOps is the evolving cloud financial management practice that empowers organizations to track and maximize cloud spend and enable tech, finance, and business teams to collaborate on data-driven spending decisions. In this talk, J.R. Storment, Executive Director of the FinOps Foundation will explore the intersection between TBM and the FinOps practice and the benefits achieved. Session discussion topics include: 

  • Creating a culture of ownership over cloud usage and spend
  • The most important challenges to tackle for delivering products faster while gaining financial control and predictability
  • FinOps organization structures in large and small organizations from the State of FinOps 2022 report

 


Speaker:

    • J.R. Storment, Executive Director, FinOps Foundation

In this engaging conversation, executive leaders will share both the challenges and best practices realized on their journey to embrace product-based innovation.

Session discussion topics include:

  • Achieving results as you shift from a projects-to-products innovation model
  • Maximizing CIO/CFO partnerships in this new paradigm
  • Building your innovation strategy around value streams, stable teams, and a high degree of customer centricity

Speakers:

  • John Wilson, VP, IT Costing & Performance Management, MetLife
  • Kaarina Bourquin, Director, Strategy & Portfolio Operations & Technology, The Standard
  • Moderated by Toyan Espeut, Chief Customer Officer, Apptio

Session abstract coming soon


Speakers:

    • Brendan Kinkade, VP, Build ISV, Technology & Hybrid Cloud, IBM
    • Moderated by Phil Alfano, Field CTO, Apptio Foundation

TBM empowers hundreds of decision makers with the facts they need to execute a digital strategy faster, without bias, and in alignment across business units. This includes technology consumers, service and application owners, LOB CIOs, enterprise PMOs, compliance leaders, budget coordinators, and many more. What are the fundamentals of developing and executing a successful TBM practice? In this session, experienced practitioners will share the lessons and foundations they’ve learned delivering business value for their organizations with TBM.

Session discussion topics include:

  • Fundamentals of proper support and sponsorship across key stakeholders
  • Demonstrating how and why TBM is core to strategy and a digital operating model
  • Developing, educating, and enabling your core team
  • Implementing or enhancing the necessary TBM processes

Speakers:

    • Jeri Koester, CIO, Marshfield Clinic Health System
    • Latrise Brissett, Managing Director, Global IT, Accenture
    • Leslie Scott, VP & CIO, IT Enterprise Services, Stanley Black & Decker
    • Moderated by Jason Byrd, Managing Director, Technology Strategy & Advisory, Accenture