How to show ROI for Cyber Security

How to show ROI for Cyber Security

*This article was originally posted on LinkedIn here

Allow me to start with a big elephant in the room… Return On Investment (ROI) in cyber security!

For MOST (not all) companies, cyber security products are not a “money maker/earner”. They “take” money and don’t “make money”.


So how can something which doesn’t make money create an ROI?


This has been a big challenge for many years. Cyber security was mostly a non-proactive sale. To simplify it (or to ‘unpolitical correct’ it ) – before our current era of cyber security, products were not something you bought, it was something you were “forced” into reactively because of something that happened or regulations.


Now, in the current era, many companies finally understand that without cyber security you can’t survive in the technological landscape. You can be the most ‘non-technological’ company. But the way you work and communicate will still be technology-based.


To work out ROI for Cyber Security, it needs to based on Threat Risk. You need to quantify the following vectors for each risk:

  • Market Loss
  • Sale Loss
  • Salary Loss
  • Regulation Loss


You don’t Quantify ROI by “how much money the solution will make for you”. You Quantify ROI by “how much money you may lose if you dont use solution X” If the total solution cost is less than the Threat figure (which it is usually) – this is your positive ROI”


Cyber threat is not a question of IF, its a question of WHEN. It has been like that for at least 3-5 years.

Based on the Boardish Methodology which I have created ( – the ROI for Cyber Security is based on:


Quantifying the amount of Mitigation that Solution X provides for Threat Y while integrating the complete cost of Solution X.


To simplify: what is the size of the threat? > how much does my solution help to reduce the risk from the threat? > What is the total solution cost? = Does it make sense to buy the solution


Here is an example from the Boardish application sample dashboard (see screenshot below):

The Threat is: Fire-Water Disaster


The Total Threat Loss is: $119.48M

* the total threat loss is calculated by the Boardish Methodology – see our website for more info


The Solution is: VEEAM – Disaster Recovery


The Total Solution Cost is: $29,500 (Includes the IT labour to install and run the solution)

The Solution contribution on-prem: $107.54M, this means that most of the on-prem threat risk is mitigated by the solution.


(The Solution Contribution In-Cloud is zero because for this example VEEAM is not used for Cloud backups, just on-prem.)


So to sum up what the dashboard shows us:


We have a Threat which has a risk figure of almost $120M and we have a solution which cost $29,500 which mitigates MOST of the threat, the ROI for VEEAM against Fire-Water Disaster is crystal clear – it’s a very easy, positive ROI


Our clients, Our board, and our decision-makers need clarity to make decisions. Let’s give them a clear Risk & ROI quantification!


* From my personal experience, VEEAM is one of the easiest products to sell because of this 🙂 and I use it for my own clients. Big and CLEAR threat with relative non-expensive solution.


Eli Migdal – Founder of Boardish

Quicker IT & CYBER Budget Approvals

When technology meets 'bottom line'. There's Boardish.

Get the pragmatic guide to cyber risk quantification