Prove Your Worth: How to Measure Cybersecurity ROI and Impress Your Board

CISOs often struggle with proving ROI from security initiatives when trying to secure buy-in from the board and prioritize budget. A recent survey of security professionals found that nearly a third remained unsure of how best to measure the effectiveness of security programs. When asked how they do measure success, we see how confusion reigns: 

• Efficacy of security measures: 47%
• Risk assessment (internal or external): 57%
• Agility and speed of security teams' responsiveness: 56%
• Financial savings estimated from avoiding risk: 52%
• Estimated savings of reputational or customer-related impacts as a result of a security initiative: 50%
• Absence of incidents or breaches: 45%
• Discount on cyber insurance: 25%

This is no surprise when it’s very hard to answer how you measure the impact of not experiencing a breach.

We’re continually curious about how our customers measure ROI. OneWeb, a global communications company providing broadband internet access from low Earth orbit (LEO) satellites, said they measure success by highlighting in executive reporting the financial, reputational, or business damage that could arise from an identified vulnerability remaining active. In some cases, the business value of HackerOne community findings has far exceeded the entire annual bug bounty budget! They group these savings into three categories:

1. Resource savings for our internal team that doesn’t have to spend time threat hunting. 
2. Financial savings, in terms of reducing costly third-party penetration testing.
3. Avoiding fines or customer reparation due to vulnerabilities that might be found too late.

Other customers, like Hyatt, have used their security posture to bargain for a lower premium for their cyber insurance. The insurers know that a company with strong security practices is much less likely to get breached, so it makes sense to give discounts on the insurance premium to such customers.

Another way to approach the problem is, instead of focusing on what didn’t happen, to look at the results in terms of what constitutes success in modern software development. All companies are becoming technology companies, and faster time to market and customer trust are key competitive advantages. Security programs must evolve to match the pace of modern business, enabling products to be released faster without being blocked by pentest schedules. GitLab focuses on the impact security has on development and production. They have made security a part of everyone’s role, with developers and security teams alike being responsible for keeping their code and product secure. While every critical vulnerability reported through their program is considered a major breach avoidance, they also recognized that results like a 58% decrease in valid critical reports for Server-Side Request Forgery are crucial to delivering more secure products, faster. 

When it comes to thinking about bounty spend and subsequent results, most of our customers pay close attention in the early years of their program to how many high-severity and critical bugs are found and measure success on the number and severity of the findings. After they’ve been running a program for a few years though, we’re going to see fewer reports, due to those vulnerabilities being fixed and developers avoiding introducing them in the first place. The measure of success then changes to celebrating how few reports they receive, despite being able to offer more lucrative bounties. This is the ideal position to be in, as customers can then afford to offer higher bounties for really unique reports, without necessarily making huge changes to their bounty pools. 
We can’t tell you the magic formula for proving returns on investment, but we continue to collaborate with our customers to tell the most compelling story about how security programs add value. Speak to one of our experts today about how you measure success.