Calculating ROI on cybersecurity investment

It’s tough to invest in something you can’t see. Cybersecurity is one of those things. When it’s working, nothing happens. Its success lies in its invisibility. But just because it’s out of sight, doesn’t mean it should be out of mind.

When you’re preventing something from happening, for example a data breach or ransomware attack, you’re investing in a non-event. Because you don’t see the consequences you’re avoiding, it can be hard to understand its true value. But that doesn’t mean the value isn’t huge.

The problem is, when you can’t put a number on something, it can often be hard to get buy-in.

So let’s reframe the question. Instead of asking how to calculate ROI on cybersecurity, ask: what is the cost of doing nothing?

What’s the cost of doing nothing?

If your organization were hit with a cyberattack and your systems were down for a full day, how much would that cost the company?

Here is a non-exhaustive list of potential costs to consider:

Lost revenue: A system outage can halt sales for an entire day, if not more. If you’re an e-commerce site, that’s your entire business. If you’re a SaaS company or service provider, it can also mean customers demanding refunds or cancelling subscriptions.

Operational downtime: Critical internal operations for example order fulfillment, manufacturing, logistics, or billing could stop resulting in unhappy customers and lost trust.

Employee productivity: Employees who rely on cloud-based tools, CRMs, or internal systems may be unable to work effectively, if at all. If 100 employees earning $40/hour are idle for 8 hours, that’s $32,000 in lost productivity in just one day.

Additional customer support: Customer support teams are flooded with tickets from frustrated customers and users. This might require you to pay overtime to customer support agents or hire additional temporary staff.

Brand damage and customer churn: If a breach becomes public, customer confidence decreases, especially if sensitive data is involved. A fintech company, for example, hit by a cyberattack might see hundreds of users switch to competitors, leading to long-term revenue loss and increased churn rates.

Remediation costs (incident response, system repair, and vulnerability patching): Post-incident, you’ll need to investigate, fix vulnerabilities, restore systems, and possibly upgrade infrastructure. Hiring a third-party cybersecurity firm to help with incidence response can cost tens of thousands. And internal IT staff might need to work around the clock to get systems up and running again.

Potential ransom payments: If ransomware is involved, attackers might demand payment to restore access to encrypted data. Hackers know how much your company can afford to pay, but the number will be enough to hurt. Even if you don’t pay, the costs of simply recovering from the attack are high.

Regulatory fines: If customer data is compromised, you may be subject to GDPR, HIPAA, or other compliance penalties. Under GDPR, fines can reach up to €20 million or 4% of global annual turnover, whichever is higher.

Employee peace of mind: When a breach happens, it’s a mental stress on employees across the organization. Whether they’re in customer support bombarded by endless tickets, IT trying to get systems back up, or leadership worried about taking the fall, investing in security can help them worry less and focus on their work.

The list goes on and the costs can add up quickly and impact the organization for months, if not years, into the future.

According to IBM’s 2024 Cost of a Data Breach report, the average cost of a cyberattack was $4.88 million. And that’s just an average. For some industries or critical infrastructure the costs are significantly higher.

Cybersecurity should be seen as a critical business investment

Despite the potential costs of a breach, many companies still treat cybersecurity as an afterthought, rather than a critical business investment. We believe cybersecurity is a core business KPI (key performance indicator). Companies track KPIs across the board, so why is security so often left out?

One of the reasons is that executives simply don’t have a solid understanding of cybersecurity or what it means to be security resilient in the first place. The other is a lack of understanding of how to measure the return on investment (ROI) for cybersecurity.

Is it safe to ride a bike without a helmet?

Let’s take wearing a helmet as an example. Most of the time, you don’t fall off your bike, your skis, or your scooter. But you wear one anyway. Why? Because if something does go wrong, wearing the helmet could save your life.

You don’t wear it out of fear. You wear it because it’s a simple, smart way to protect yourself. Buying a good one costs a little bit of money, but most of us understand that it’s well worth the cost.

Cybersecurity is like your digital helmet. You hope you never need it, but if you ever do, you’re grateful. And in some places, it’s illegal not to wear one.

Non-compliance with increasing security regulations can result in significant financial penalties and leadership accountability

Just as safety measures like wearing a helmet or a seatbelt are becoming legal requirements, organizations are now impacted by regulations like the NIS2 Directive. Now there’s even more incentive to implement preventative security measures.

Under this directive, leadership in critical sectors can be held personally liable for failing to meet cybersecurity standards. That’s not just financial risk, it’s reputational and legal exposure at the executive level.

The benefits of adopting a proactive approach to cybersecurity

By viewing cybersecurity a strategic investment, companies can better protect themselves from the potentially catastrophic consequences of a cyberattack. And by incorporating it into their KPIs, they can manage and track security risk and progress.

The intangible costs of a cyberattack

The ROI of cybersecurity isn’t just about avoiding financial loss, it’s about ensuring business continuity, protecting customer trust, and staying ahead of threats.

When a breach happens, trust is one of the first things to go.

Customers lose confidence. Partners start asking tough questions. Your brand reputation takes a hit, and it can take years to rebuild. These intangible consequences can have much longer-lasting effects than a one-time fine or ransom payment.

Companies usually survive a breach, but the leaders don’t

At a cybersecurity conference held recently in Iceland by Syndis, Mikko Hypponen spoke about the importance of leadership involvement in cybersecurity.

He says that “Companies usually survive a breach, but you (the leadership) won’t”.

Even without the new regulations, leaders of companies hit with a large attack are often forced to step down. The price of not investing isn’t just about money, it can also cost key individuals in the company their careers.

So, what’s the ROI?

So let’s get back to the original question. What’s the ROI on cybersecurity investment?

It’s the cost avoided from not paying millions in remediation and fines.

It’s the uptime maintained when your systems keep running smoothly.

It’s the reputation preserved when your customers don’t have to worry about their data.

And it's the competitive advantage gained from being known as a company that takes security seriously.

The real question is: Can you afford not to invest in cybersecurity?

The real question isn't “How do I justify cybersecurity spend?” It’s “How much risk am I willing to accept?”

In a world where attacks are increasingly more frequent, more sophisticated, and more costly than ever, the answer is probably: not much.

Cybersecurity isn’t just an IT concern, it’s a business-critical investment. And as such, leadership teams need to understand it and be empowered to take action.

That’s where Aftra comes in

Aftra takes the complexity out of cybersecurity, so leadership can understand their organization’s security health, make decisions for improvement, and track and manage security risk.

Interested in learning more about how the Aftra Attack Surface Management solution works?

Learn more