How do you demonstrate the cost-opportunity value to the business of reducing risk?

"In IT and Operations, they learned how to do this decades ago.  It's about time in security we learned to do this too."