Cybersecurity ROI is a flawed metric—here’s what truly matters to business leaders.
The cost of data breaches is a recurring topic in the cybersecurity industry. But here’s the challenge: no two breaches are exactly alike. The impact varies based on factors such as the industry sector, the attack’s target, and the victim’s level of preparedness.
Some costs are easy to quantify—such as forensic investigations, legal and PR expenses, and customer support for affected users. However, many researchers take this analysis further, attempting to estimate business losses and reputational damage. That’s where the exercise turns into a guessing game.
Take the 2024 Cost of a Data Breach report by IBM and the Ponemon Institute. While it provides a detailed methodology, its fine print exposes significant flaws:
- Inconsistent Comparisons: Year-on-year analysis is unreliable because sample groups change annually. Additionally, reported costs are estimated in local currencies and then converted to USD at fluctuating exchange rates.
- Unverified Respondents: The survey relies on “security and C-suite business leaders with first-hand knowledge of data breaches” at their organizations. But their experience levels vary, and their estimates—especially for factors like “business disruption, lost customers, and reputational damage”—are highly subjective.
This doesn’t mean the data is useless. But drowning in pages of decimal-point calculations often leads to misleading conclusions.
So why do these reports keep resurfacing? They reflect a long-standing belief among some industry leaders and security vendors: that cybersecurity investments must be justified with ROI calculations.
The logic goes like this:
- Data breaches are inevitable.
- A breach could cost X.
- My product prevents breaches and costs Y (which is much less).
- Therefore, investing in my solution delivers a return of Z.
While compelling on paper, this argument has been used for over two decades—and it simply doesn’t work. The numbers are often arbitrary, no single solution can stop all cyber threats, and executives are bombarded with similar justifications across every department.
At this point, senior leaders don’t need to be convinced that cyber threats are serious. They already know breaches can be costly, even catastrophic. They also understand the potential legal and personal liabilities.
What they need is confidence in their organization’s ability to execute a strong cybersecurity strategy. They need assurance that the right leadership is in place.
Ultimately, the most valuable currency in cybersecurity isn’t money—it’s trust. That’s where CISOs should be focusing their efforts.
JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.
He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.
Read more on our Security Transformation Leadership publication here on Medium