Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Defending Your Budget: How to Show ROI of Cybersecurity Investments

For those of us who work in cybersecurity, the term “Return on Investment” (ROI) has no doubt made for awkward conversations. The solutions we work with have a return, but one that is commonly only evident during a malware attack or after a data breach has been thwarted. 

For those of us who work in cybersecurity, the term “Return on Investment” (ROI) has no doubt made for awkward conversations. The solutions we work with have a return, but one that is commonly only evident during a malware attack or after a data breach has been thwarted. 

Like testing parachutes or evaluating new safety harnesses, performing a live demonstration to show the power of a solution is not comfortable for any security professional.

Until recently, proving the ROI of security investment has not been a significant issue. Headlines pretty much did the job for us. Newspaper articles and online reports of the latest breach, ransomware or software vulnerability made it easier to justify the need for additional layers of security to reduce the risk of our own business becoming a future headline. But this was before we entered the new era of remote work we are in today. 

Who’s Involved?

The security-first mindset is still necessary and well-understood by board members, but budgets are constantly being scrutinized and tightened. This was true before the workplace became largely remote, but even more so now that we will soon need to upgrade workplaces with enhanced physical protection for those people who do need to get back into an office.

The CISO and CTO make security project decisions, meet regularly and discuss how to balance risk and assign a budget, with risk usually carrying enough additional weight to gain approval. This is changing; security is still essential, but the business now wants to assess and apply risk at different levels across the company. For example, a public-facing web server holding product datasheets would need less security than a server hosting developer code for upcoming product releases.

The partnership between the CISO and the CIO is critical for ensuring the right level of cybersecurity is applied to the business. Still, for the CISO, this means thinking differently. It is not enough to demonstrate protection statistics or the number of phishing emails that can be blocked. Business leaders want to know not only how security keeps them safe, but also how it makes their business more productive.

The Proof is in the Pudding

Security needs to become a measurable, outcome-driven deliverable and not just something proven following the prevention of a breach. To achieve this, more than just security information needs to be assessed. Data from devices, the network and external sources all are required to refine the security deliverables into something which demonstrates business value and, therefore, prove ROI.

Fortunately, there are areas where we can focus on achieving a more unobstructed view of security ROI. Although there is no one perfect solution to this challenge, it is easier to create a business conversation to support future investments, if considered as a combination of risk plus consequence.

Developing an ROI model takes time – my recommendation would be to focus on a simple security project that will return high value to the business when proven successful. Demonstrating that it is possible to show a return will help the team in developing a model for more complex solutions.

Demonstrating ROI Through Security Awareness

Awareness is vital in any organization, as this is where ransomware, data theft and other attacks start. Business Email Compromise (BEC) is on the rise and, according to some reports, could have been accountable for up to 50% of 2019 cybercrime losses just in the United States.

It is important to note that security software cannot always prevent a BEC; this form of attack is becoming smarter and better targeted, meaning that more will successfully find a way to the user’s inbox. On average, 35% of users will still click on a phishing link, accoding to a 2019 report from the JAMA Network Open.

These statistics speak for themselves – security awareness training should be a component in any security program and could reduce future BEC risk. But how can we make the case for the spend?

• Run a penetration test that uses a business email compromise to target internal users, getting them to click on a link potentially containing malware.

• For every 1,000 users, around 35% will click on the link. That may seem high, but corporate users often feel protected at work and this can make them more susceptible to attack.

Using this data, we see the test successfully phished 350 users. Had this been a real-world campaign, these users could have cost the business up to $75,000 in damages per click. For just a few dollars per user, regular online security awareness training seems well worth the cost.

Training is a straightforward example. Other IT projects where a simple ROI can be developed include adding features to endpoint security, introducing encryption technologies or better securing Wi-Fi authentication.

My advice would be to avoid more complex projects, such as firewall upgrades, until the security ROI process is better understood by everyone. Only presenting technical metrics or deliverables can make it hard for the security team to communicate the business value clearly, resulting in held up projects or even cancellation altogether.

Recipe for ROI

In short, yes, it can be achieved. But it all comes down to business risk appetite and establishing a significant number that demonstrates maturity to help with future investments. Here is my recipe for security ROI:

• Agree on clearly defined, risk-based KPIs for security. These provide the data to leverage in the development of ROI for projects.

• Understand how the business wants to address risk. Every new change carries the potential for new threats and a clear message is needed to balance risk against the speed of innovation and customer experience.

• Risk is a responsibility for the business, not just the security team. Ensure that there are security KPIs against different business leaders and not just the CISO or CIO.

The above list is not exhaustive, but a strong starting point. Another critical piece is that the establishment of security KPIs across the business means that business leaders are all invested in making the best decision on any project.

While establishing and understanding ROI for security may seem challenging, the route to success starts with small and clearly defined projects. Do not immediately expect 100% accuracy – this will come over time as more data improves the model, which in turn provides the ability to demonstrate security ROI to the business.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.