How to show Return on Investment for cybersecurity

When a new solution is being recommended to improve cybersecurity, it often will require buy-in from one or more people who may not have the technical knowledge to fully understand the benefits.  In those cases, making the business case for the solution can help with budget approval.

How can you show Return on Investment (ROI) for cybersecurity when no solution comes with 100% guarantee? Here are some simple steps to get you there:

  1. What data do you store/maintain/transmit?  You need a rough estimate of both the number of records and the type(s) of data you have, such as 5,000 records with personally identifiable information (PII), 3,000 records with payment card information (PCI) or 10,000 health records (HIPAA).  Make sure you include any data that is stored electronically in your possession even if it is not active.
  2. Estimate the exposure from an incident.  While this will vary based on the type of incident and how much data is actually exposed, an online breach calculator can give you some realistic numbers to bring to the C-suite.  Here is an example that shows 10,000 records of PII:


The estimated cost per record is $89, our a per incident cost of $887,800 just for initial response and potential fines and damages.  The cost of remediation to replace systems, add new controls, upgrade software can easily exceed $100,000 on top of this estimate.

3)  Provide the estimated cost of the incident along with the cost(s) of the recommendations to reduce risk, as in this example:

Estimated breach cost $887,800
Typical incident remediation costs $150,000
Estimated cost of risk (per incident) $1,037,800
SOCaaS with Managed Detection and Response $22,000
Firewall rules review $2,000
24/7 Breach response service with $100,000 annual coverage $1,996
Total annual cost to reduce risk $25,996

This type of exercise helps the business to make informed decisions on additional technology spend, along with your explanation of:

  • What pain or problem does the proposed solution address?  Does it eliminate the need to add staff?  Will it replace an existing cost?  Is it required to meet a requirement for data protection?  This is very key as failure to meet regulatory requirements can result in additional fines and damages and could even invalidate your insurance claim.
  • How does the proposed solution add value to the investments in technology that you have already made?  In the example above, adding SOCaaS with MDR provides 24/7 monitoring from key assets and threat detection and response capabilities increases the value from the investment in firewalls and endpoint solutions.
  • When possible, align the spend to a business initiative.  If you want to target larger customers, they will ask more questions about your cybersecurity.  If the recommendation was prompted by current customer(s), how much revenue could you lose if you don’t address their concerns?
  • Does the recommendation qualify you for a reduction on your commercial insurance?  The cyber insurance market is undergoing a pricing correction now that there is more data to consider from recent claims.  Insurers are asking a lot more questions when quoting coverage and having the proposed solutions could earn you a discount to help offset the investment. In the example above, the investment of $1,996/year adds $100,000 gap policy to cover commercial insurance deductible and common exclusions, greatly reducing out-of-pocket costs if an incident does occur.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.