Introduction
I need to say something that will make security vendors hate me. Most security spending is wasted.
Not all of it. But most of it.
I have watched companies spend millions on security tools that never detected a single threat. I have seen teams buy CNAPP platforms that sat unused. I have pitched security features to customers who said "that's nice but we won't pay for it."
The security industry has a dirty secret. We cannot prove ROI for most of what we sell.
Try calculating the ROI on a SIEM that never caught an attack. What is the return on a vulnerability scanner that found issues you never fixed? How do you measure the value of compliance frameworks when the only reason you implemented them is because a customer required it?
Security is broken as a business model. We sell insurance. You pay for it. You hope to never use it. And when nothing bad happens, executives ask why we spent the money.
This article will make people angry. But I am happy if you proof me wrong.
Why Security ROI Calculations Are Fiction
Every security vendor has an ROI calculator. They all work the same way:
- Estimate the cost of a breach (usually $4-5 million based on IBM's annual report)
- Estimate the probability their product prevents that breach (always conveniently high)
- Multiply breach cost by probability
- Subtract product cost
- Show massive positive ROI
This is fiction.
Here is why. You cannot measure something that did not happen. If your EDR prevented ransomware, how do you know? Maybe the attacker never targeted you. Maybe your firewall blocked them first. Maybe they tried and failed for unrelated reasons.
Security vendors claim credit for negative events. "We prevented 10,000 attacks this month." No, you blocked 10,000 network requests. Most were benign. Some were bots. A few might have been malicious. You have no idea what you actually prevented.
I have sat in meetings where security teams presented ROI calculations. The CFO asked "how do you know this attack would have succeeded without your tool?" The security team had no answer.
The honest answer is "we don't know." But nobody wants to say that.
The Only Security That Sells: Compliance
In my experience, only one type of security spending gets approved without a fight. Compliance.
SOC 2. ISO 27001. HIPAA. PCI-DSS. These sell because they have clear ROI. You get the certification. You win the customer. Revenue goes up.
Compliance-driven security has a business case. You can calculate the value of contracts you would lose without it. You can measure the sales cycle time reduction when prospects see your SOC 2 report.
Everything else is harder.
I pitched a customer on enhanced logging and monitoring. Better threat detection. Faster incident response. They asked "what is the ROI?"
I said "if we get breached, we will detect it faster and reduce impact."
They said "have we been breached before?"
I said "no."
They said "then why do we need this?"
But when the same customer needed SOC 2 for an enterprise deal, they approved the budget immediately. Same security controls. Different justification.
Compliance works because it ties to revenue. Everything else is a hard sell.
Why Customers Won't Pay for Security
Here is the fundamental problem. Security spending has negative ROI until something bad happens.
You spend $100,000 on security tools. Nothing bad happens. Your ROI is negative $100,000.
Your competitor spends nothing on security. Nothing bad happens to them either. Their ROI is $0.
Your competitor wins. They are more profitable.
This only changes when something bad happens. Then suddenly security has infinite ROI. But by that point it is too late.
This is why security feels like insurance. You pay premiums hoping never to use it. When nothing bad happens, you feel like you wasted money. When something bad happens, you wish you had spent more.
The problem is that most companies never get breached. Or if they do, they never know it. So they keep thinking security spending is wasted.
Proactive security spending is nearly impossible to justify. Reactive security spending is easy but expensive.
What CFOs Actually Care About
I have pitched security budgets to CFOs. Here is what they actually care about:
Revenue protection. Will losing this customer because we lack security hurt more than the security investment costs?
Compliance costs. How much does an audit finding cost to remediate? Is it cheaper to implement controls proactively?
Insurance premiums. Some cyber insurance requires specific controls. If those controls reduce premiums by $50,000 annually, the math works.
Brand damage. How much revenue would we lose if we had a public breach? This is hard to quantify but executives understand it.
CFOs do not care about:
Theoretical breach costs. The $4 million average breach cost is meaningless. That is not your company. Your breach might cost $100,000 or $100 million.
Prevented attacks. You cannot prove a negative. Saying "we prevented 50 attacks" does not impress anyone.
Industry benchmarks. "Companies our size spend 8% of IT budget on security" is not a business case.
Feature parity. "Our competitor has this security feature" only matters if customers ask for it.
The CFO wants to know: what is the business impact of spending or not spending this money?
If you cannot answer that, you will not get the budget.
How I Justify Security Spending Now
I stopped trying to prove ROI on security. Instead, I use different frameworks for different security investments.
Tier 1: Non-Negotiable Baseline
Some security is not optional. Firewalls. Encryption. Basic access controls. Patching.
I do not calculate ROI on these. I tell executives "this is the cost of operating securely. If we don't do this, we are negligent."
Nobody argues with this. It is like asking for ROI on paying rent.
Tier 2: Compliance-Driven
Everything required for SOC 2, ISO 27001, HIPAA, or customer security requirements.
ROI is simple. This certification unlocks X dollars in revenue. This investment costs Y dollars. If X > Y, we do it.
This is the easiest budget to get approved.
Tier 3: Risk Reduction
This is everything else. Advanced threat detection. CNAPP platforms. Security automation.
For these, I use a different approach. I estimate the cost of a realistic breach scenario specific to our company.
Not the $4 million industry average. Our actual scenario.
Example: "If our database got breached, we would have to notify 100,000 customers. Notification costs $50,000. Legal costs $100,000. PR crisis management $50,000. Customer churn from brand damage costs $500,000. Total: $700,000."
Then I estimate the probability. Not "this tool prevents all breaches." Be honest.
"This tool reduces our detection time from 90 days to 1 day. If we get breached, we will lose 90x less customer data. Our breach cost drops from $700,000 to $100,000. Our expected savings are $600,000."
"The tool costs $50,000 annually. If we have a 10% chance of getting breached in the next year, our expected ROI is $60,000 - $50,000 = $10,000."
This is honest math. It shows I understand the business. It gives CFOs numbers they can work with.
And if the ROI is negative? I do not ask for the budget. Simple.
Tier 4: Innovation and Competitive Advantage
Some security spending is not about preventing breaches. It is about being better than competitors.
"Our competitor takes 30 days to complete security questionnaires. We can automate this and respond in 1 day. This shortens our sales cycle by 2 weeks."
Now security has clear business value. Faster sales cycles mean more revenue.
This is rare. Most security spending does not fall into this category. But when it does, it is the easiest to justify.
The Startup Security Dilemma
Startups face the worst version of this problem.
You have limited runway. Every dollar spent on security is a dollar not spent on product development or customer acquisition.
Security will not generate revenue. It will not make the product better. It will not help you grow faster.
But if you skip security, you create technical debt. Eventually a customer will require SOC 2. You will scramble. You will pay consultants $200/hour to implement controls that should have been built from day one.
The rational decision is to skip security until you need it. This is what most startups do.
But the optimal decision is to build baseline security from the start. Encrypt data. Log actions. Implement basic access controls. Use a standardized cloud security landing zone.
This costs almost nothing early. It costs a fortune to retrofit later.
I advise startups to do this:
Year 0-1: Build baseline security. Encryption. Authentication. Audit logs. Secure Landing Zone. This should be standard in your architecture.
Year 1-2: Prepare for SOC 2. Set up your security program. Document policies. Do not get audited yet, but be ready.
Year 2+: Get SOC 2 when a customer requires it. You will be ready.
This approach costs almost nothing. It saves massive amounts later.
But most founders do not do this. They skip security entirely or just trust their developers. Because they should know what they are doing. Then they pay the price when they need it.
What Actually Matters: Metrics That Work
Forget ROI. Here are metrics that actually matter for security spending:
Time to SOC 2 compliance: How fast can you get certified when a customer requires it? If it takes you 6 months, you lose deals.
Security questionnaire response time: Enterprise customers send 50-page security questionnaires. If you cannot answer them quickly, your sales cycle extends by weeks.
Audit finding remediation costs: Every compliance audit finds issues. How much does it cost to fix them? Proactive spending reduces this.
Insurance premium reduction: Some security controls reduce cyber insurance costs. This is direct ROI.
Customer win rate on security: How many deals do you lose because of security concerns? This is measurable.
These metrics connect security to business outcomes. They show value without requiring impossible ROI calculations.
The Uncomfortable Conclusion
Most security spending is wasted because we spend on the wrong things.
We buy tools to prevent hypothetical attacks. We implement controls nobody asked for. We chase industry benchmarks instead of business outcomes.
The security that actually matters is the security that enables revenue.
Compliance certifications enable enterprise sales. Security automation speeds up sales cycles. Baseline security prevents expensive retrofits.
Everything else is optional. And if it is optional, executives will ask "what is the ROI?" And you will not have a good answer.
This is why security teams constantly fight for budget. We keep trying to justify spending that has no measurable business value.
I am not saying all proactive security is worthless. I am saying most of it is.
The industry does not want to admit this. Security vendors need to sell products. Security consultants need to sell services. Everyone has an incentive to claim that more security spending is always better.
But it is not true.
Security spending should be ruthlessly prioritized based on business impact. Compliance first. Baseline security second. Risk reduction third. Everything else is optional.
If you cannot tie a security investment to revenue, compliance, or clear cost savings, do not ask for the budget.
This makes people uncomfortable. Security professionals want to believe their work has inherent value. But businesses do not work that way.
Everything must justify its cost. Security is not exempt.
The sooner we accept this, the better security decisions we will make.
But Security Is Still Cool (And Necessary)
I need to say this before people think I hate security work. I don't.
I love building security automation. I love writing detection rules. I love solving complex access control problems. Security engineering is fun.
And security is absolutely necessary. I am not arguing we should skip security. I am arguing we should be honest about what we can justify.
When Budget Is Not a Constraint
Bigger companies can do cool security things. If you have budget and you are not fighting for every dollar, go ahead. Build that threat hunting platform. Implement that CNAPP. Automate everything.
Google's cloud security investments show this. They built Security Command Center. They are acquiring Wiz. They have teams working on attack path analysis and AI-powered threat detection.
This makes sense for Google. They have the budget. They have the scale. Security incidents at their level cost millions. The ROI math works.
If you work at a company with stable security budgets and no pressure to cut costs, you can focus on the interesting problems. You can experiment. You can build the security program you want.
This is where the cool security work happens. Automation. Integration. Custom detections. All the things I write about on this blog.
But most companies are not Google.
What I Am Doing Differently
I stopped selling security based on fear. I stopped using breach statistics. I stopped claiming my tools prevent attacks.
Instead, I focus on business outcomes.
"This security control is required for SOC 2. SOC 2 enables enterprise sales. Enterprise sales drive revenue."
"This automation reduces security questionnaire response time from 2 weeks to 1 day. Faster responses shorten sales cycles. Shorter sales cycles increase win rates."
"This baseline security prevents expensive compliance retrofits. The proactive cost is $10,000. The reactive cost is $100,000."
"This security policy is required by the country we want to expand to"
These are honest business cases. They do not require fictional ROI calculations. They tie security to outcomes executives care about.
And when a security investment does not have clear business value? I do not ask for it.
This has changed how I think about security. I used to believe all security spending was justified. Now I believe most of it is not.
The security industry needs to have this conversation. We need to stop pretending everything we do has clear ROI.
Some security is essential. Some is valuable. And some is waste.
Learning which is which is the hard part.
Member discussion