Can You Measure ROI On Cybersecurity?

30 Jan 2020

A Return on Investment (ROI) is the cornerstone of every business. If you’re making more than you’re spending, you’re doing OK. If you’re spending more than you’re making, you better get your CV in order because you’ll go out of business when the cash supply runs dry.

ROI is the question that keeps business owners awake at night.

How much are you spending?

In what areas of the business can you maximise profit, cut costs and increase production?

Traditionally calculated as benefit over cost, if the thing you make costs £5 in production costs and materials and you sell it for £50, you’re in positive ROI territory (and if you can find ways to reduce the £5 spend to £3.50, even better) but if you’re spending thousands on an element of your business and not seeing any return on that spend, that’s where the sleepless nights come in.

Unfortunately this is what business owners think about their outlay on cybersecurity. Paying to ensure critical business data is secure neither increases revenue directly nor does it offer any immediate payback so attempting to calculate ROI on cybersecurity is difficult.

Imagine you’re a goalkeeper and you’ve got Messi, Ronaldo, Kane and Salah running at you with a ball each. Where do you focus your attention? Each attack threat is as deadly as the next but you can’t defend your goal from all of them.

The same goes for your cybersecurity. As attack surfaces grow, perimeters disappear and cybercriminals get more sophisticated, it’s getting increasingly harder and harder to determine where to focus your attention – and ergo, your money.

At its most basic, measuring ROI from your cybersecurity spend can be determined by the number of breaches you manage to avoid but beyond that metric, it gets more complicated.

‘Cybersecurity investments must focus on aligning strategies and protections with real-world risks’ says managing director and North America lead for Cybersecurity at Accenture, Kevin Richards.

Spend £100,000 on developing a new product and you’d expect to earn £1m in profit. Spend £200,000 on a new IT system and you’d expect to see £2m in productivity increases – a 10:1 ratio – but if you spend £50,000 a year on cybersecurity, what is the resulting pound-value benefit to the business?

Bearing in mind that typically, organisations spend 8-12% of their IT budget on cybersecurity, how can you systematically and quantitatively determine which of the countless cybersecurity tools and technologies available will give your business the best possible increase in cyber-resilience for the money you spend?

Cymulate have a handy guide to measuring cybersecurity ROI here.


Carrying On The Football Theme, What’s The Ultimate Goal?


As with any investment, the goal for a business is to get the best possible protection at the best possible cost.  Head of North American Cybersecurity Practice at Capgemini Drew Morefield says, ‘More money and more investments don’t necessarily translate into better protection’ but at the same time he also says that lots of businesses under-invest in their cybersecurity, ‘[they] lack the tools to combat threats on a consistent basis.’

To increase your odds of maximising your ROI, here are five steps (from Sam Greengard writing in and paraphrased by us) every business should take:

1. Assess Your Data – Not all data is equal. Applying a blunt-force approach always results in overspending with no guarantee that critical data is any better protected. A starting point for navigating cybersecurity investments is to understand the value of data and the risk tolerance of the enterprise. This helps determine the type of controls an organisation needs.

‘Taking a reverse-engineered approach from the data outward to the network, systems, and specific controls and solutions is an efficient way to approach the challenge’ says Drew Morefield. He continues, ‘In a best-case scenario the resulting information can lead to dramatic improvements in compliance and data-governance strategies—and bring about gains in the software-development lifecycle.’

2. Analyse Your Security Environment – Lots of businesses remain wedded to a legacy approach to cybersecurity focussing on tools such as firewalls, malware protection and DLP but there is a mismatch that exists.

For example, a study by Accenture and Ponemon Institute found that the biggest security investments for organisations revolved around perimeter controls, such as next-generation firewalls. However, in terms of what actually was most effective for stopping cybercrime, that approach ranked number five.

‘It represented the biggest expenditure but landed in the middle of the pack in terms of results,’ said Kevin Richards. ‘The biggest ROI was related to security-intelligence systems, automation and orchestration and machine learning. Cyber-analytics and behavioural analytics also ranked high.’ The takeaway, Richards said, is that leaders must rethink priorities and better understand what delivers protection and ROI. ‘Some of the things people think are important really aren’t. The cybersecurity environment has changed.’

3. Build Appropriate Controls & Protections – Signature-based cybersecurity tools that rely on blacklists and whitelists are increasingly ineffective but once you’ve assessed and analysed your environment as well as introducing the appropriate metrics, it’s possible to align a cyber-security framework with the appropriate level of risk.

This quantifiable analysis, indicator of metrics and framework alignment also helps to achieve buy-in from the people holding the purse strings. Paul Calatayud, CSO, Americas for Palo Alto Networks says, ‘There is no such thing as perfect security, but it is possible to be better defended than others,’ important because attackers will always look for the low-hanging fruit first.

4. Don’t Neglect The Basics – Drew Richards states the (often-overlooked) obvious; ‘One of the least expensive ways to maximise security and minimise costs is to focus on basic blocking and tackling. Patching and configuration management are nothing new, and they are constantly discussed in context with cybersecurity. Yet many organisations continue to fall short.’

He also talks about multifactor authentication as being a relatively inexpensive way to ratchet up protection. ‘Many breaches are completely avoidable by introducing another layer or two of authentication and approval.’ Other ways to cover yourselves that won’t break the bank include penetration testing and pressure testing as well as that dreaded word – training. The more people inside your business that can recognise phishing emails (the cause of up to 95% of all security breaches), the better, wouldn’t you say?

5. Recognise The Business Benefits – As is abundantly clear, measuring ROI across all elements of your cybersecurity measures is very hard, but that’s not to say it’s impossible.

Drew Richards says ‘You might not see the traditional return you achieve in other parts of the business, but cybersecurity is an investment in organisational quality and operational efficiency.’ There’s also the issue of reputation management. Areas such as application security are particularly important because customers, partners and others make decisions based on the image of a company. Apps that crash or infect systems can tarnish a company’s brand and result in lost sales, as well as the potential for fines or lawsuits.


Does ROI On Cybersecurity Matter?


In a word? Yes.

Business investments are optimised through a combination of people, processes and technology. When you have sound metrics in place, along with the right framework for data classification and governance, choosing the right protection methods, controls, and technologies becomes a lot easier. While it’s true that there is no such thing as a bulletproof system, it is eminently achievable to have the best possible security protection at the best possible price.

As you will have undoubtedly read in our recent blog entitled How The Pros Secure Their IT Systems, the aim is the make your IT systems as secure as necessary, not as secure as possible…

Contact us today on or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or what’s better, Instagram or TikTok. Never mind, we don’t care either…


Koncise Solutions

Go Back