The Problem with ROI in Security
Return on Investment (ROI) is a financial metric designed to measure profit generation. Security investments do not generate profit, they reduce risk, exposure, and impact.
When security works, nothing happens. There is no transaction, no revenue spike, and no visible “return.” As a result, ROI forces CISOs to justify security spend using assumptions, estimates, and post-incident narratives rather than measurable protection.
ROI is useful for budget approval.
It is ineffective for measuring security effectiveness.
Why ROI Produces False Confidence
Most security ROI discussions rely on indirect indicators:
- Avoided breach costs
- Reduced likelihood assumptions
- Compliance alignment
- Tool consolidation efficiency
These signals do not answer the operational question that matters most:
How much attacker capability did this security control actually remove?
A security control can be fully paid for, fully deployed, and still be underutilized leaving material exposure unaddressed. ROI cannot see this gap.
The Missing Metric: Security Control Utilization
Modern security platforms ship with extensive defensive arsenals:
- Parsing engines
- Detection logic
- Prevention capabilities
- Response mechanisms
Ownership does not equal protection.
Utilization determines value.
If key entities are not inspected, attack classes are not mitigated, or enforcement is partial, attackers retain viable paths regardless of spend.
The real question for CISOs is not:
“Did we buy the right tool?”
But:
“Are we using this control to meaningfully reduce attacker options?”
From Utilization to Protection Value (TOV)
Total Ownership Value (TOV) measures the real security value realized from owning and operating a security control.
TOV focuses on:
- How much of the control’s defensive capability is actually used
- Which attacker paths are eliminated
- Which exposure points remain
- How readiness reduces impact when prevention fails
TOV does not require a breach to prove value.
It measures protection before failure, and resilience during failure.
ROI vs TOV — Executive View
| Question | ROI | TOV |
|---|---|---|
| Is spend justified? | ✔ | — |
| Are we safer? | ✖ | ✔ |
| How much attacker capability was removed? | ✖ | ✔ |
| Are we using what we bought? | ✖ | ✔ |
| Is this board-defensible? | Partial | Strong |
Executive Guidance
Use ROI when:
- Planning budgets
- Engaging finance and procurement
- Comparing high-level investments
Use TOV when:
- Evaluating security effectiveness
- Prioritizing improvements
- Assessing exposure and readiness
- Reporting real risk posture to the board
ROI explains cost.
TOV explains protection.
Strong security leadership requires both — but never confuses one for the other.