New metric introduced to measure value of cybersecurity

HackerOne has published a report unveiling security leaders' concerns about the efficacy of return on investment (ROI) when assessing the value of cybersecurity.

The report, titled "When ROI Falls Short: A Guide to Measuring Security Investments with Return on Mitigation", introduces a new metric, Return on Mitigation (RoM), designed to help security leaders quantify the financial benefits of cybersecurity measures in mitigating risks from cyberattacks.

The financial impact of data breaches continues to rise, with the average cost now approaching USD $5 million in the United States. This financial burden has highlighted challenges in applying ROI to cybersecurity expenses, leading to tightened cybersecurity budgets. The value of ROI as a measure of investment performance is well-established, but its applicability to cybersecurity investments is questioned by many in the sector.

"The hardest part of ROI in security is quantifying it," said a Vice President of Security at a leading manufacturing company within the Fortune 500. "It's challenging to measure the cost of a vulnerability or compare solutions, especially when considering factors like reputational damage, downtime, and revenue impact."

The findings of HackerOne's report incorporate responses from 550 security leaders, including Chief Information Officers, Chief Information Security Officers, and security directors.

The study found that 77% of security leaders believe ROI does not adequately consider incident response and long-term stability, which they prioritise in their assessments of cybersecurity strategies. Additionally, 69% reported that ROI focuses too heavily on direct costs, overlooking indirect expenses such as incident response and training.

More than half of the respondents felt that ROI fails to account for essential factors that contribute to the value of cybersecurity. These factors encompass cost savings from avoiding breaches and the protection of non-financial assets such as brand reputation and customer trust.

Alex Rice, Co-Founder and Chief Technology Officer at HackerOne, commented on the challenges faced by security leaders. "When it comes to breaches, we all intuitively know that an ounce of prevention is worth a pound of cure. But without the right metrics, it's hard to advocate for the value of security investments. Return on Mitigation reframes proactive and preventive work as a value driver."

Return on Mitigation offers a view of the financial impact of cybersecurity initiatives, aligning them with organisational financial goals. RoM quantifies the financial impact of preventative cybersecurity practices by evaluating avoided financial losses from potential breaches, including costs related to regulatory fines, legal issues, reputational harm, and business interruptions.

Rossini Moraes, Information Security Manager at Inter&Co, emphasised the utility of RoM in demonstrating the tangible benefits of proactive mitigation strategies to executive boards. "Return on Mitigation's (RoM) data-driven approach allows us to demonstrate the real impact of proactive mitigation to the board, ensuring our security investments not only protect the bottom line but also strengthen customer trust," he stated.

A Head of Cybersecurity at an enterprise financial infrastructure firm expressed similar sentiments, saying, "RoM allows me to justify a USD $300,000 investment against a potential USD $5 million critical breach. [With this metric], I can show how mitigating vulnerabilities through continuous, offensive security testing can prevent costly breaches and justify the spend."