Start Now

Published

- 3 min read

Financial evaluation of cybersecurity remains a path not very frequented

img of Financial evaluation of cybersecurity remains a path not very frequented

The Challenge of Evaluating Cybersecurity ROI

Introduction

The financial evaluation of cybersecurity investments remains a complex and often overlooked aspect of organizational risk management. This complexity stems from several factors:

  • CISOs often lack the financial expertise to effectively communicate ROI to board members
  • Cyber risk assessment methods that work well for individual projects struggle to scale to the enterprise level
  • The rapidly evolving nature of cyber threats makes it difficult to quantify long-term benefits of investments

For example, a mid-sized manufacturing company might invest heavily in network security but struggle to demonstrate how this investment directly impacts the bottom line or reduces overall risk exposure.

The Current State of Cybersecurity Evaluation

The lack of standardized methods for evaluating cybersecurity ROI leads to several issues:

  • Ad-hoc approaches that vary widely between organizations
  • Difficulty in comparing cybersecurity postures across industries
  • Overreliance on compliance metrics rather than operational effectiveness

Case in point: A 2020 study by the Ponemon Institute found that only 29% of organizations regularly calculate ROI for their cybersecurity investments.

The Importance of Efficient Resource Allocation

Guillaume Poupard, Director General of ANSSI, emphasized this point: “France wants to be a powerhouse in cybersecurity, but given those against whom we are fighting, the disproportionality of means makes it essential to use our resources well.”

This statement underscores the need for:

  • Clear, objective criteria to assess resource utilization
  • Metrics that go beyond simple compliance checkboxes
  • A focus on operational effectiveness in the face of sophisticated threats

Compliance vs. Operational Cybersecurity

While compliance is important, it’s crucial to recognize its limitations:

  • Compliance does not equal security (e.g., Equifax was PCI-DSS compliant at the time of its massive 2017 data breach)
  • Attackers don’t care about your compliance status; they care about vulnerabilities
  • Operational metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are often more meaningful

Example: The 2020 SolarWinds attack demonstrated that even companies with strong compliance programs can fall victim to sophisticated, long-term breach campaigns.

The Human Factor in Cybersecurity

Organizational and Human Challenges

The similarity in attack methods over time is striking:

  • Kevin Mitnick’s social engineering tactics in the 1990s
  • The 2020 Twitter hack, which also relied heavily on social engineering

This highlights that cybersecurity is not just a technical problem, but a human one. Organizations must address:

  • Security awareness training
  • Insider threat mitigation
  • Building a culture of security

Misalignment of Financial Resources

Current resource allocation often fails to address the most significant risks:

  • Reactive spending after incidents (e.g., Maersk’s $300 million investment following the NotPetya attack)
  • Underinvestment in addressing human factors (only 1-2% of cyber budgets)
  • Lack of proactive, risk-based budgeting

A risk-based approach, as advocated by McKinsey, would involve:

  1. Identifying critical assets and processes
  2. Assessing threats and vulnerabilities
  3. Quantifying potential impact
  4. Allocating resources based on risk prioritization

Current State of Cyber Preparedness

Many organizations remain unprepared for cyber threats:

  • SMEs often lack basic security controls
  • Local governments are increasingly targeted (e.g., Baltimore’s $18 million ransomware recovery costs)
  • Citizens lack the knowledge to protect themselves online

This situation has led some experts to describe the majority of companies as “designed to fail” in terms of cybersecurity. The lack of preparedness extends beyond organizations to individual citizens, who often find themselves “disarmed” in the face of cyber threats.

Growing Awareness vs. Increasing Cyber Debt

While awareness is growing, particularly at the executive level, challenges remain:

  • Cyber budgets are increasing (now ~15% of IT budgets in large companies, according to Accenture)
  • However, this increase isn’t uniform across all sectors
  • Digital transformation often outpaces security implementation

A key issue is the lack of adapted solutions for SMEs, local authorities, and associations. These smaller entities often struggle to implement adequate cybersecurity measures due to limited resources and expertise.

The Challenge of Digital Transformation

Organizations are accumulating “cyber debt” through rapid digital adoption:

  • 79% of digital transformation projects lack adequate cybersecurity measures (Accenture)
  • COVID-19 accelerated digital adoption, often at the expense of security
  • Cloud migration and IoT adoption introduce new risks that aren’t always addressed

Example: A retailer rapidly adopting e-commerce capabilities during the pandemic might inadvertently expose customer data through insecure APIs or misconfigured cloud storage.

The concept of “cyber debt” is particularly relevant in the context of digital transformation. Just as technical debt accumulates when organizations prioritize speed over code quality, cyber debt grows when security considerations are overlooked in the rush to digitize.

Conclusion

To address these challenges, organizations need:

  1. A robust method for assessing cybersecurity ROI that considers both risk reduction and business enablement
  2. A shift from compliance-focused to risk-based security strategies
  3. Greater emphasis on addressing the human factor in cybersecurity
  4. Integration of security into all digital transformation initiatives
  5. Development of tailored cybersecurity solutions for SMEs and local authorities
  6. Increased efforts to educate and empower citizens in cybersecurity

By taking these steps, organizations can better prepare for the evolving threat landscape and turn cybersecurity from a cost center into a business enabler. Moreover, a concerted effort to address cybersecurity at all levels - from large corporations to individual citizens - is necessary to create a more resilient digital ecosystem.

The path to effective financial evaluation of cybersecurity investments may be less traveled, but it is increasingly crucial in our interconnected world. As we continue to navigate the complexities of the digital age, a thoughtful, risk-based approach to cybersecurity will be essential for organizations of all sizes.

This post by Sylvan Ravinet originally appeared on the CaptainCyber blog.

Conclusion

As we navigate the complex landscape of cybersecurity investments, it’s clear that a shift towards risk-based, holistic approaches is necessary. By aligning cybersecurity strategies with business objectives, addressing the human factor, and integrating security into digital transformation initiatives, organizations can better prepare for evolving threats and turn cybersecurity into a business enabler.

What steps is your organization taking to improve its cybersecurity ROI? Share your thoughts and experiences in the comments below.

Related keywords

ROI
Cybersecurity Investments
Risk Management
Cyber Compliance
Digital Transformation
Ransomware
Human Factor