Cybersecurity initiatives offer financial value to organizations. Board members and non-security executives know this to be true. That’s why worldwide spending on information security reached an estimated $180B in 2024, per industry analyst Gartner.
Still, translating the benefits of cybersecurity into dollars and cents has long been a challenge for security teams. This makes optimizing spending on security initiatives difficult. There’s no standard metric for comparing the impact of one initiative versus another. It’s not because there isn’t quantifiable value. The standard for quantifying the value of an investment is Return on Investment (ROI). Nevertheless, ROI doesn’t directly account for the benefits of cybersecurity measures.
Why ROI Doesn’t Cut It for Cybersecurity
We dive into more detail in our new paper. Here’s the net of it: To calculate ROI, you need a “revenue” or “net profit” value. This value is required to get the result. Cybersecurity initiatives typically don’t directly generate revenue or a net profit.
Instead, these initiatives act as a safeguard. They prevent potential losses such as data breaches, business downtime, ransomware attacks, reputational damage, and loss of customer trust. As such, an ROI metric that considers profits gained but not losses avoided fails to adequately capture the true impact.
Why Return on Mitigation (RoM) Over ROI
Security leaders need a metric that reflects the true value of cybersecurity, and ROI isn’t it. Return on mitigation (RoM) redefines how we calculate ROI for cybersecurity. Instead of focusing on net profit, RoM measures “mitigated losses” the financial damage avoided through proactive security measures.
If you take a closer look, you’ll notice that the RoM formula is the same as ROI, except instead of “revenue,” we use “mitigated loss”
Security leaders see a much clearer picture of the financial impact of their cybersecurity efforts. This is achieved by factoring mitigated losses instead of revenue. This approach provides a clearer view on the bottom line by putting a dollar amount to the losses they’ve prevented.
The Call for RoM Standardization
For security leaders, adopting RoM bridges the gap. It connects the theoretical value of cybersecurity testing with the reality of loss prevention. It empowers them to justify security budgets more accurately. They can communicate value to stakeholders effectively. It also allows them to show quantifiable risk reduction and rank their resources better. All of this is achieved through a common financial language.
Now imagine if that common language was also common within an organization and across cybersecurity. The standardization of RoM would offer significant benefits to the entire security community. Establishing a common framework for calculating the financial impact of cybersecurity investments would allow organizations to make more informed decisions. This would enhance their security strategies.
When everyone can calculate loss prevention with the same metric, they can benchmark with peers. They can also compare across industries. This helps them better evaluate vendors and solutions. Meanwhile, it also provides greater support for regulators and cyber insurers. They need clear, methodical financial loss data to design regulatory standards. These standards help assess the adequacy of cybersecurity investments.
Conclusion
You’ll remember my stance heading into this year. The fight against cyber threats will not be easy. We’re in this fight together. The standardization of RoM is just one practical way organizations can come together in cybersecurity. By implementing an effective and common method, we can measure the value of cybersecurity investments better. It brings us one step closer to taking down cyber threats on a universal scale.
We can walk a prospect through a model showing the potential financial impact of threats we mitigate and the value we deliver. It builds immense trust and moves the discussion from features to tangible business outcomes.
a cybersecurity concept that speaks the language of business value. ‘Return on Mitigation’ reframes security spending from a sunk cost to an investment with a measurable return. By focusing on the financial impact of the incidents we prevent, we can make much more informed capital allocation decisions. This allows us to treat cybersecurity like any other business function that contributes to operational efficiency and protecting the bottom line.”
As a founder with limited resources, every dollar counts. The ‘Return on Mitigation’ concept is a survival tool. It forces us to prioritize the security measures that will have the biggest financial impact on our survival and growth. We’re not trying to boil the ocean; we’re strategically investing in mitigations that directly protect our core IP and operational capability, and this framework shows us exactly how to do that.
Instead of seeing security as a scope-creep or a delay, we can quantify its value in protecting the project’s future ROI.
It helps prioritize our daily tasks based on what actually protects business value, not just what’s technically interesting.
Just wanted to drop a note of appreciation. In a world full of superficial content, your blog provides genuine, actionable value. Your articles have helped me make informed decisions for my business on multiple occasions. We eventually decided to engage your firm for a full security audit, and it was the best decision we made all year.
The investment has already paid for itself. The new system has automated so many manual tasks, freeing up our team to focus on more strategic work.
Highly recommend for any business looking to scale efficiently.
Integrating ‘Return on Mitigation’ into our project planning has been a revelation. We can now perform a cost-benefit analysis for security requirements on new applications.
The project was completed on time and on budget, with clear communication at every stage. They demystified the tech process and made us feel informed and in control throughout.
Seeing that our mitigation efforts ‘returned’ several million dollars by preventing likely outages and breaches is the kind of clarity we need for governance and oversight.
This framework elegantly connects technical controls to business risk in a quantifiable way. Instead of just checking boxes for compliance, we can now demonstrate how each control contributes to financial resilience. ‘Return on Mitigation’ allows us to model the value of our compliance efforts, proving that they are not just about avoiding fines but are active, value-generating investments in the company’s stability.
Cybersecurity reporting has often been a confusing list of technical metrics. The ‘Return on Mitigation’ concept cuts through the noise. It provides a clear, business-centric dashboard showing how our security investments are actively protecting shareholder value.
It’s easy to get lost in a sea of alerts. The ‘Return on Mitigation’ model gives our work concrete context. When I can see that the firewall rule I tuned last month directly prevented a ransomware variant that would have cost the company $X in downtime, it’s incredibly validating.
Adopting the ‘Return on Mitigation’ narrative has completely changed our sales conversations. We’re no longer just selling ‘better security; we’re selling demonstrable financial protection and a positive ROI.
The ‘Return on Mitigation’ model provides a powerful methodology for them to self-assess the efficacy of their controls. I can now advise clients not just on if they are compliant, but on how valuable their security program is, which is a far more mature and business aligned conversation.
this approach has been transformative for our IT and security team alignment. We’re no longer seen as the ‘department of no.’ By calculating the ‘Return on Mitigation,’ we can present a clear business case for why a specific patch deployment or system upgrade is urgent. It turns a technical recommendation into a compelling financial argument that gets the resources and priority it deserves from business unit leaders.
“This ‘Return on Mitigation’ framework is exactly the language we’ve needed to bridge the gap with the board. Instead of talking about abstract ‘risk reduction,’ we can now quantify the value of preventing a likely attack. It shifts the conversation from ‘How much does security cost?’ to ‘How much value did our mitigations generate this quarter?’ by tying them directly to thwarted business disruption. A game-changer for strategic planning.”
Return on Mitigation’ provides the clearest picture I’ve ever seen of how our cybersecurity spend is an investment, not just an expense. It translates the fantastic work of our security team into the language of business performance dollars saved, downtime avoided, and reputation protected. This is crucial for making strategic decisions about where to invest for growth while intelligently managing one of our most significant operational risks.