8 ways to track ROI and demonstrate the team’s value

COMMENTARY: Security leaders today are caught in a tricky balancing act. They're asked to do more with less, while simultaneously turning cybersecurity from a cost center into something that actually builds customer confidence and loyalty.

This puts CISOs in a tough position. Threats keep mounting, while budgets are tighter — which means they have to allocate spend strategically. To handle the workload, security leaders face questions on whether to invest in technologies that leverage AI and automation or increase headcount, and are faced with difficult questions on where to trim the budget. Through it all, they need to show that every penny spent on security isn't just an expense, but an investment in the company's future.

Automate or hire?

CISOs have to first assess alignment between security and business goals. Deciding whether to invest in additional personnel or lean into automation does not have a one-size-fits-all answer: it largely depends on an organization's maturity, priorities, and risk tolerance.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Organizations with low risk tolerance may require more staff for proactive risk management. Start by framing all requests in terms of business value — reducing risk, enabling growth, and driving trust. Then evaluate all investments to see if automation makes more sense in terms of money spent and quality of the job completed.

If choosing automation, security information and event management (SIEM) and security automation, orchestration and response (SOAR) technologies have long been a standard to automate repetitive tasks that bottleneck security operations. And today, we have options beyond these traditional platforms that leverage AI to offer intelligent responses and data reasoning capabilities previously unseen. These advancements don't eliminate the role of the security operations team — rather, they elevate it. It lets them focus on strategic priorities like high-risk alert investigations and creating more sophisticated detection rules.

Know where to make the cuts

When facing tight budgets, CISOs must make strategic decisions about where to reduce costs without compromising security. We have to eliminate unnecessary spending while preserving the essential elements of a strong security program.

Areas CISOs can look to cut costs include the following: legacy tools or overlapping functions that no longer add value; investments in areas that only marginally reduce risk; expensive, custom-built tools that lack the functionality and efficiency of market alternatives; rarely used incident response retainers, which CISOs can replace with zero-dollar alternatives; and move legacy approaches to a more modern approach, particularly in areas like governance, risk, and compliance (GRC), where continuous monitoring platforms can replace manual processes, or in vendor risk management (VRM), where questionnaire automation can significantly reduce resource requirements while improving coverage.

But don’t put all areas on the chopping block. Certain security functions are too critical to compromise, such as compliance efforts that drive trust with customers. In addition, focus on security fundamentals, such as endpoint detection and response (EDR), patch management, and identity and access management (IAM). CISOs should also keep educating their teams and building new skills.

By cutting budgets from areas that add minimal value or are redundant, while preserving investments in core security functions, compliance, and personnel, CISOs can achieve cost savings without putting the organization at greater risk.

Measure ROI

It’s difficult to quantify cybersecurity ROI because unlike other business functions where revenue gets applied to achieve an outcome, security investments are made to prevent an outcome — namely, security breaches. This makes it challenging to directly attribute revenue to cybersecurity efforts. However, there are several ways CISOs can measure and demonstrate ROI:

Track KPIs to demonstrate security program maturity improvements, enabling business expansion into new markets while reducing organizational risk.

Evaluate the reduction in security incidents and associated cost savings from avoided breaches.

Measure security’s impact on business enablement, such as deals closed because of a strong security posture.

Quantify automation efficiency, showing time saved and faster response times through automated processes.

Demonstrate the team’s value

Numbers help tell the story when it comes to showing ROI from investments. Security leaders know that to get — and keep — executive support, they need to show how security drives business forward. This includes looking at:

Revenue impact: Track important security certifications that contribute to revenue growth, customer retention, and deals won due to security assurances.

Risk reduction and program maturity: Demonstrate how enhanced security controls and stronger defenses reduce the frequency and severity of incidents, ultimately enabling the organization to enter new markets, including more regulated industries.

Customer and partner trust: Highlight how strong security initiatives improve customer confidence and reinforce long-term business relationships.

Compliance as a value driver: Show how achieving leading certifications opens doors to new business opportunities and partnerships.

Success in today’s environment requires CISOs to stay both strategic and practical — allocating resources effectively, balancing automation with human expertise, and demonstrating the undeniable business value of security.

Jadee Hanson, chief information security officer, Vanta

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.