Connect with us

Hi, what are you looking for?


Management & Strategy

A One-Two Punch for Security ROI

Cost avoidance is a powerful way to kick-off ROI discussions. However, to quickly move beyond objections, shifting to a more tangible approach to calculate ROI can help.

Traditionally, as an industry, we rely heavily on metrics like the cost of a data breach as a tool to discuss return on investment (ROI). Third-party data provides a level of credibility when engaging in discussions about the need for specific capabilities to prevent specific types of attacks and avoid losses. But when decision makers start to dig a little deeper invariably questions arise, and pushback happens, like “what are the odds of that happening to us?” or “we aren’t that big”. It can be a stretch for decision makers to internalize the data and believe that it is relevant to them and their organization. Cost avoidance is not tangible for several reasons.

Challenges with cost avoidance

An in-depth study by CISA on the “Cost of a Cyber Incident: Systematic Review and Cross-Validation” discussed some of the challenges with gathering credible data on the cost of an incident. These include:

  • Relying on historical data. Only a fraction of successful attacks is publicly disclosed. Convenience sampling is not statistically representative. There is no way to know how many incidents went unreported and how they varied in type, size, scope, and impact from the sample used.
  • Extrapolating future potential losses. Adversaries adapt to changes in the cybersecurity environment and also shift their focus from one industry to another, which makes it extremely difficult to use historical data for future insights.
  • Variations in methodology. Estimates vary widely from one cost analysis to another based on the size of the target organization, their industry and region, as well as the regulatory environment and penalties. Additionally, “softer” factors such as reputational damage may be included in total costs, but how those factors are measured often isn’t clear.
  • Likelihood of the incident. Making the case for investment based solely on cost avoidance is amorphous because that data breach or specific type of incident may not happen to that organization, much less in a way that directly maps to how the cost was calculated.

Despite these challenges, cost avoidance is a powerful way to kick-off the ROI discussion. However, to quickly move beyond objections, shifting to a more tangible approach to calculate ROI can help.

Getting to tangibility

As security automation has gained traction and the cybersecurity skills shortage persists, now’s the time to lean into an ROI discussion based on how to do more with less. Use cases provide a tangible way to quantify what an organization can achieve with a specific solution because they can be:

  • Aligned with the organization’s priorities. There are several common use cases, including spear phishing, threat hunting, incident response, and vulnerability management. Starting with one or two use cases that are important to the organization helps focus the discussion on the high priority areas decision makers see value in addressing quickly.
  • Customizable to the organization. Each use case can be broken down into the activities required to address that use case and the cost of the resources involved. For example, the number of full-time equivalent personnel, the fully loaded hourly rate and the hours involved in completing the required activities prior to investing in a new solution provides the baseline. Then, calculating the resources needed with the addition of the new solution provides the financial return on that investment – including both efficiency and effectiveness gains. Transparency into that calculation and flexibility to adapt it to a specific organization and environment provides meaningful, highly relevant data.  
  • Measurable. ROI can be difficult to track on an ongoing basis. The transparency of a use case-based approach helps facilitate this. Consistent metrics might include the time to detect and respond, time to resolution, or percentage of high-priority vulnerabilities patched or mitigated. Additionally, tracking and reporting on the impact on security teams is also important. Valuable metrics to consider include a reduction in the need to staff up, or time saved that has allowed analysts to pivot to more strategic initiatives or be more proactive in other areas.

It’s easy to talk about ROI in terms of avoiding the cost of a data breach. Regardless of methodology, the numbers are staggering. But cost avoidance cannot stand alone. When used in combination with tangibility the two approaches can serve as a one-two punch to deliver a more compelling case for additional cybersecurity investments. It’s good for the industry, good for organizations, and good for security teams.

Advertisement. Scroll to continue reading.
Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.