HackerOne recently released a report that found security leaders have largely negative perceptions on the ROI of measuring cybersecurity value. This sparked the cybersecurity company to introduce a new metric to help quantify the financial value of protecting businesses from cyberattacks.
The report, When ROI Falls Short: A Guide to Measuring Security Investments with Return on Mitigation, found that leaders struggle to translate risk reduction into financial benefits to justify the budgets– leading to a decrease in cybersecurity budgets.
“The hardest part of ROI in security is quantifying it,” said one security-focused vice president at a Fortune 500 manufacturing company. “It’s challenging to measure the cost of a vulnerability or compare solutions, especially when considering factors like reputational damage, downtime, and revenue impact.”
The report, which surveyed 550 security leaders, also found:
- ROI overlooks incident response and long-term stability, which over three-quarters of security leaders– 77 percent– prioritize in evaluating their cybersecurity approach.
- Sixty-nine percent of security leaders also believe ROI overemphasizes direct costs while failing to account for indirect costs like incident response and training.
- Over half of the leaders stated that ROI fails to consider enough factors contributing to cybersecurity value, including cost savings from avoided breaches and non-financial benefits like protected brand reputation and customer trust.
HackerOne’s new metric
The new metric introduced by HackerOne, Return on Mitigation (RoM), can be utilized by security leaders in the channel to gain a more holistic view of the financial impact of cybersecurity initiatives and communicate how cybersecurity efforts align with their organization’s financial goals to stakeholders.
“When it comes to breaches, we all intuitively know that an ounce of prevention is worth a pound of cure,” said Alex Rice, co-founder and chief technology officer at HackerOne. “But without the right metrics, it’s hard to advocate for the value of security investments. Return on Mitigation reframes proactive and preventive work as a value driver.”
The formula quantifies the financial impact of proactive cybersecurity investments by measuring avoided financial losses from a breach. This includes costs prevented by mitigated risks like regulatory fines, legal costs, reputational damage, and business disruptions.
The metric stands out by quantifying intangible cybersecurity benefits like reputation, customer trust, and operational stability, which have a substantial financial impact. By assigning dollar values to potential losses using metrics like “Customer Lifetime Value (CLTV)” and churn rates, RoM transforms abstract risks into concrete financial metrics. This makes cybersecurity investments more tangible and aligns them with the financial language decision-makers utilize.
“Return on Mitigation’s data-driven approach allows us to demonstrate the real impact of proactive mitigation to the board, ensuring our security investments not only protect the bottom line, but also strengthen customer trust,” said Rossini Moraes, information security manager at Inter&Co.
By adopting RoM, security professionals can do the following:
- Justify security budgets: Present logical financial arguments for security investments, making it easier to secure funding.
- Align with business objectives: Ensure that security initiatives support broader organizational goals.
- Prioritize effectively: Allocate resources to the most impactful areas by comparing the RoM of different security initiatives.
- Communicate with stakeholders: Use a common financial language to bridge the gap between technical teams and business leaders.
- Demonstrate quantifiable risk reduction: provide measurable evidence of how security investments prevent costly breaches.
“With HackerOne, we see continuous value added to our security program that goes beyond ROI,” said General Motors’ Chief Cybersecurity Officer Kevin Tierney. “The human-powered security approach brings insights we wouldn’t get from internal teams alone, and the real value comes from preventing reputational damage and ensuring our core business remains protected.”
According to HackerOne’s report, standardizing RoM would benefit the entire security community. A common framework for calculating and communicating the financial impact of cybersecurity investments would enable organizations to make informed decisions about security strategies.
The key benefits of RoM standardization include:
- Unified benchmarking across industries: This would allow organizations to compare RoM scores with industry peers, foster transparency, drive competition, and encourage best practice adoption.
- Stronger communication with stakeholders: RoM standardization would bridge technical and business perspectives to simplify conversations about cybersecurity’s value and demonstrate the direct financial impact of security investments, resonating with executives and board members.
- Better informed vendor and solution evaluation: RoM can be leveraged to demonstrate the quantifiable financial value of their products. Customers can also make informed purchasing decisions by comparing RoM-based financial benefits rather than relying on subjective risk assessments.
- Support for regulators and cyber insurers: Provides regulators, including standard bodies like NIST, GDPR, or ISO, with a consistent method to evaluate the adequacy of an organization’s cybersecurity investments. Further, cyber insurers can use RoM metrics to set policy premiums.
“RoM allows me to justify a $300,000 investment against a potential $5 million critical breach,” said one cybersecurity leader at an enterprise financial infrastructure provider. “[With this metric], I can show how mitigating vulnerabilities through continuous, offensive security testing can prevent costly breaches and justify the spend.”
Additionally, HackerOne customers can experiment with RoM with the platform’s AI copilot, Hai.
HackerOne has been on a mission to expand access to its security platform through the channel. Discover more about how the company expanded its AWS partnership and channel plans from HackerOne VP John Addeo.