←
Back to Blog
Security best practices
3/28/2025
-
XX
Minute Read
How CISOs can justify their cybersecurity budget
Every year, companies reevaluate their budgets, making tough calls on where to invest for the most impact. In many organizations, cybersecurity spending is often seen as a cost center. However, without adequate security investments, companies put themselves at greater risk for data breaches that could disrupt business operations and damage customer trust, ultimately costing the company a lot more in the end. To minimize these risks, it’s important to quantify them through risk assessments and metrics. When security investments are tied to business priorities and backed by data, they become easier to justify and far more effective in preventing costly incidents down the road.
Why does security need to align with business priorities?
Security must align with business priorities to protect critical assets and allocate resources to high-risk threats. Nearly 9 out of 10 executives (88%) agree that measuring cyber risk is essential for making informed security investments—but only 15% actually measure the financial impact of cyber risks to a significant extent (e.g., extensive cyber risk quantification with automation and extensive reporting).
The consequences of failing to establish an adequate cybersecurity budget can be severe. I’d bucket these into six major areas:
Inability to detect and respond to threats promptly
Underfunded security teams may be less able to detect and respond to threats as they unfold. A major wake-up call for organizations is when they experience recurring incidents, just like what happened to a major tech company that got breached twice in a short period of time. Hackers exfiltrated over 10,000 employee records and 3.5GB of internal data.
Increased vulnerability to cyberattacks, data breaches, and other security incidents
You have increased vulnerability to cyberattacks, data breaches, and other security incidents. Once teams have identified security gaps, the next step is to address them before they are exploited by malicious actors. Without enough headcount and adequate tools, the number of identified critical vulnerabilities can outpace security and IT teams’ ability to close them.
Potential financial losses from theft, fraud, or business disruption
If security controls aren’t designed with business processes in mind, malicious actors can find the weak points and exploit them. Imagine an e-commerce business with a frictionless checkout experience but weak identity verification. That’s an open invitation for malicious actors to run up fraudulent transactions or even trigger chargebacks.
Reputational damage and loss of customer trust
Trust in the company’s brand is vital for customer growth and retention. Losing that trust through a data breach not only hampers growth but can cost the company significant legal fees. I still remember that about a decade ago, a major retailer suffered a massive breach that compromised the personal information of 70 million customers. The company had to cut their earnings forecast as a result.
Regulatory fines and legal liabilities from non-compliance
Regulatory fines and lawsuits from impacted parties can stack up fast. Depending on the industry, failing to meet compliance standards—whether it's GDPR, PCI DSS, or SOX—can result in costly penalties. The fines for GDPR can result in up to 20 million euros or 4% of a company’s global annual revenue.
Reduced ability to support business initiatives and digital transformation
As a part of a technology company’s growth, digital transformation needs to occur. These might include cloud migration projects and new SaaS adoption. With cloud migration projects, the security team’s role, to start, may be to assess the risks of moving data to the cloud and whether the cloud provider can meet an organization’s security requirements. With adopting new SaaS tools, the security team can conduct a third-party risk assessment and validate whether or not a similar tool is already in use within the organization. With implementing AI, the security team can provide oversight into whether or not new AI tools expose or improperly store an organization’s sensitive data.
What metrics should security leaders focus on?
Keep in mind that when presenting security metrics to leadership, it's beneficial to focus on quantifiable numbers that are relevant to the business. Leadership wants to know, “Are we secure?” This is where a roll-up score like the ROSI calculation or RRP (Risk Reduction Percentage) can help.
ROI vs. ROSI. ROI is designed to evaluate the efficiency or profitability of investments. As organizations think about their security budget, the question should be asked, “is our security spend effectively reducing risk?” This is where ROSI (return on security investment) comes into play. In other words, traditional ROI looks at the revenues from investments, while ROSI looks at the risk reduction from investments. ROSI can help leaders calculate what investments are needed to achieve a certain security posture, depending on the organization’s overall risk tolerance.
Formula for ROSI = (Annual cost of security incidents avoided − Annual security investment) / Annual security investment)
The Annual Cost of Security Incidents Avoided refers to the money saved by preventing security incidents, but it’s not just about the average cost of a breach. A way to calculate this is by considering the potential cost of an incident * likelihood of it happening. It’s also worth factoring in extra costs like reputational damage, regulatory fines, and downtime to get a clearer picture of the actual savings. More details on calculating ROSI can be found in the Association for Financial Professionals article here.
Risk Reduction Percentage. RRP measures how much you've lowered your security risk after making an investment in security controls. Simply, it helps you measure how risky things were before you took action versus how much safer they are now.
Formula for RRP = (Risk score before investment − Risk score after investment) / Risk score before investment) × 100%
Organizations can use risk assessment frameworks to calculate a risk score based on factors such as the likelihood of a security incident occurring and the potential impact if it does. This can be derived from methodologies like FAIR or CVSS.
Security scores. Different security services offer their own reporting and ways to measure an organization’s overall security posture. For example, a security score may measure an organizations’ security posture on a scale from 1 - 100, with a higher number reflecting a more secure posture.
Top KPI categories cybersecurity leaders should focus on to maximize ROI
Security leaders should present a big picture view of security maturity. There are many categories of metrics to consider including risk assessment, vulnerability management, incident management, threat detection and prevention, and compliance and governance. While the metrics to prioritize in each organization are different, here are some ways you can bucket security metrics:
Business Impact
Logically, one of the board’s biggest concerns is whether security is actually helping the business run smoothly, minimize downtime, and reduce financial risk. These metrics answer the question, “how much?” and evaluates costs and revenue impact to the business.
- System uptime (impact to revenue)
- Cost per incident
- Number of security incidents
- Number of public security incidents or reputation score
Maintaining system uptime ensures businesses can sustain revenue. When security leaders know how much revenue a company generates in an hour, that insight helps connect the value of system uptime or downtime to revenue impact. For example, Amazon experienced just one hour of downtime, resulting in an estimated $100 million in missed sales.
The cost per incident numbers vary widely but the financial impact could be measured in time to mitigate, time to notify impacted parties, and productivity loss. According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a data breach reached $4.88 million 2024. Security could use similar reports to understand the financial impact of an incident.
Program maturity
Leadership wants to see that security investments contribute to building a mature, proactive security function that reduces risks over time. These metrics quantify the level of risk the organization is exposed to and provide a means to track progress.
- Number of unpatched systems and days to patch
- Number of misconfigured systems and days to fix
- Percent of assets scanned (to look at scanning coverage against your known inventory of assets)
- Percent of systems with no known vulnerabilities
- Percent of employees who’ve completed security training
Performance and efficiency
Incident response metrics are some of security teams' most commonly tracked metrics. These metrics assess the responsiveness and efficiency of your security operations.
- Mean time to detect (MTTD)
- Mean time to respond (MTTR)
- Mean time to contain (MTTC)
Benchmarks
Important benchmarking metrics include the security investment amount (or what percentage of the IT budget goes to security), security posture score (a big picture risk assessment), and compliance scores (how well the company meets standards like NIST, ISO 27001, and PCI DSS). These metrics answer the question, “How do our results compare to those of our peers or vertical?”
Benchmarking metrics can be applied to the above categories of metrics, including business impact, program maturity, and performance and efficiency.
How to prove security’s business value to secure budget
To get cybersecurity budget approval, security leaders must speak the business language. Here are my top recommendations:
First, align security initiatives with business goals. If downtime means lost revenue, it is also worth considering the impact on customer trust. For instance, a data breach can lead to churn, lost deals, and reputational damage, but what’s the real business impact? Are customers less likely to renew contracts? Does it impact brand perception and future sales? Taking that extra effort to measure these impacts in quantifiable terms makes it much easier to justify security investments. When security spending is framed as risk reduction with a measurable business impact, leadership is far more likely to get on board.
Numbers help make the case. Even if it’s not an exact science, putting a dollar value on risk reduction—like estimating the cost of downtime per hour or the potential revenue loss from a breach—gives leadership a clearer picture of what’s at stake.
Additionally, running benchmarks against industry peers can be helpful. If peers spend a lot more on security and have a stronger security posture while your company lags behind, that’s a red flag. Highlighting those gaps can help push for budget increases. Bringing in third-party assessments—like penetration tests, compliance audits, or red team exercises—also adds credibility and provides hard data on where improvements are needed.
Invest in your company’s cybersecurity needs
To recap, security should be seen as an investment that prevents expensive breaches, downtime, and reputational damage. To secure funding, security leaders must align budgets with business goals, quantify risk reduction in financial terms, and benchmark against peers. The key is showing how your security investments reduce risk in a way that makes sense to the business.