However, in cybersecurity, quantifying net profit becomes significantly more complex due to the intangible nature of its benefits and the absence of direct revenue generation. Cybersecurity investments typically do not produce direct income; instead, they function as protective measures that prevent potential losses such as data breaches, business downtime, ransomware attacks, damage to brand reputation, and loss of customer trust.
1. How do you assign value to risks associated with vulnerabilities?
A majority of security leaders in our survey expressed the following direct and indirect costs as important considerations when evaluating the risks associated with vulnerabilities:
|
% of Respondents |
Assessing the risk of a vulnerability |
Implication |
|
82% |
Emphasized the importance of customer trust and brand reputation in risk assessments |
Non-financial aspects like customer trust and brand reputation are seen as essential when assessing cybersecurity risks. |
|
77% |
Rated compliance and regulatory implications highly in risk evaluations |
Compliance with regulations and avoiding penalties are critical factors driving security investments. |
|
84% |
Highlighted operational impact as a key risk consideration |
Organizations prioritize minimizing disruptions to operations when evaluating the importance of addressing security vulnerabilities. |
Introducing Return on Mitigation (ROM): Proof of Cybersecurity’s Profitability
Initially introduced by HackerOne in a SANS white paper, ROM is an ROI calculation that uses “mitigated losses” as the investment’s upside instead of net profit. It’s a simple but powerful shift in mindset that demonstrates how cybersecurity can be considered profitable for a business rather than a cost center.
|
|
|
2. How do I simplify cybersecurity’s value in monetary terms?
One of the most compelling aspects of ROM is its ability to translate the benefits of cybersecurity into the most universally understood language: money. For executives and board members, especially those responsible for financial oversight, such as Chief Financial Officers (CFOs), the decision to invest in cybersecurity initiatives often hinges on a clear understanding of their financial impact. ROM enables cybersecurity leaders to express complex security concepts in terms that resonate with non-security stakeholders by attaching dollar values to both the risks and the benefits of cybersecurity measures.
How to use ROM to Justify Budget
ROM can help security teams justify their budget requests by quantifying the potential financial impact of mitigated risks. By showing how investments in tools, training, or personnel can prevent costly incidents, ROM turns abstract risks into clear financial metrics that resonate with executives and board members.
3. How do I quantify the intangible benefits of cybersecurity?
One of ROM’s strengths is that the calculation allows the inclusion and quantification of intangible aspects of cybersecurity, such as reputation, customer trust, and operational stability. These factors, while not directly tied to revenue generation, have significant financial implications. For instance, a data breach can erode customer trust, resulting in churn and lost future sales. By assigning a dollar value to these potential losses based on factors like Customer Lifetime Value (CLTV) and projected churn rates, ROM transforms abstract risks into concrete financial metrics. This approach not only makes the benefits of cybersecurity investments more tangible but also aligns security initiatives with the financial language used in boardrooms.
How to use ROM to Prioritize Security Initiatives
ROM can help organizations prioritize security initiatives by focusing on those that offer the highest potential for mitigating financial losses. This ensures resources are allocated to the most impactful areas, improving the overall efficiency of the security program.
4. How do I secure budget approval?
ROM streamlines the budget approval process by providing security teams with a framework to build a compelling business case for their funding requests. By demonstrating how investments in security tools, training, or personnel translate to avoided costs and improved financial outcomes, ROM allows cybersecurity leaders to speak directly to the concerns of financial decision-makers, increasing the likelihood that security budgets will be approved.
How to Use ROM to Compare Investment Options
Organizations can use ROM to compare different security programs or initiatives based on their cost-effectiveness. For instance, the ROM for a bug bounty program could be compared with traditional penetration testing services to determine which approach yields a higher return in terms of risk reduction.
5. How do I align security initiatives with business objectives?
By nature, ROM supports the alignment of cybersecurity initiatives with broader business objectives. When security investments are framed as measures that protect revenue streams, maintain customer loyalty, and ensure operational continuity, they are more likely to be perceived as essential components of the company’s strategic planning. All of these can be quantified and included in the calculation’s “mitigated losses” parameter. ROM enables cybersecurity leaders to provide a compelling narrative that aligns with the organization’s business objectives.
How to Use ROM to Improve Board Reporting and Stakeholder Communication
ROM provides a financial metric that translates cybersecurity benefits into terms that non-technical stakeholders understand. It can be used in board reports or presentations to demonstrate how cybersecurity investments contribute to the organization’s financial resilience.
6. How do I measure the impact of risk mitigation efforts over time?
ROM can be used as a metric to track the effectiveness of risk mitigation efforts over time. By calculating ROM annually or quarterly, organizations can assess how well their security measures are performing in terms of reducing potential losses.
How to Use ROM to Analyze the Financial Impact of an Incident
After a security incident, ROM can be used to assess the financial impact of the event and determine the effectiveness of mitigation measures that were in place. This analysis can inform future strategies to strengthen the organization’s security posture.
Read our blog to more about calculating ROM for your organization, and stay tuned for our upcoming white paper: Measuring What Matters: CISOs Guide to ROI Through Loss Mitigation.