Investments in cybersecurity tend to be fairly
significant, so organizations continually seek
ways to determine whether the investments
were appropriate based on return. However,
companies are challenged to apply and fit the
traditional discounted cash flow methods to
calculate a return on investment (ROI) and justify
cybersecurity initiatives. Cybersecurity initiatives
are even harder to justify than traditional IT
initiatives using traditional accounting methods.
Some state that cybersecurity initiatives are not
investments resulting in profit; instead, they
address loss prevention and mitigation of threats
to the company’s assets. In part, this is accurate.
However, in today’s world, with the severity
of impact resulting from cybersecurity breach
incidents, the argument should be supplemented
to state that cybersecurity is on the same
necessity level as any required infrastructure such
as accounting, operations and IT functions to
enable companies to do business.
Discounted cash flow methods are unable to
quantify the intangible benefits that cybersecurity
brings forward to companies. The focus of this
article is to propose a nontraditional method to
prioritize cybersecurity initiatives and develop
a foundation for the return on (cyber)security
investment (ROSI) with a method to quantify the
The perceptions and views of non-IT
management toward cybersecurity are among
the contributing factors posing the challenge to
justify the expense of such initiatives. Examples
of such views and perceptions are:
• Security is not an investment. Cybersecurity
is a risk prevention and mitigation investment.
There is no technical guarantee to immunize
companies from cyberattacks due to human
errors and from those with malicious intent.
Traditionally, the view of business management
toward IT is that it is an expense and this view
has been extended to cybersecurity initiatives.
• Cybersecurity is an IT discipline.
Cybersecurity is highly technical in content,
and technical staffs generally have difficulty
explaining to management, in layman’s terms,
what the proposed initiatives are and how they
might protect the core values of the company.
Often, management equates cybersecurity
with the IT function and responsibility for IT
security is exclusive to the IT team. This is a
fundamental flaw. Cybersecurity is everyone’s
responsibility. The IT function must integrate
cybersecurity into each of its initiatives.
However, all business functions, IT and
non-IT, must integrate cybersecurity into their
initiatives as well.
• A communication gap exists. The
communication gap between IT and the
business community is a contributing factor in
the underestimation and lack of appreciation
of each other and the value and sensitivity
of the duties and responsibilities of each.
Often, the business community lacks a
clear understanding of how IT applications,
technologies and services may contribute to the
company’s business objectives in quantifiable
and tangible ways. On the other hand, the IT
community fails to link technology solutions to
the primary interests of the business to increase
revenue, expand market share, enhance
customer satisfaction and allocate resources.
This symptom arises when IT operates in a
vacuum and in the absence of IT governance.
THE BIG PICTURE OF ROI
The lack of appreciation and understanding
between the business and cybersecurity
communities is a two-way street. Cybersecurity
staff must be able to understand and accommodate
the sensitivity of the business function needs.
As a matter of fact, cybersecurity staff members
need to reach out to the business community and
engage it in the cybersecurity justification of its
initiatives. It is worth mentioning that the IT and
cybersecurity communities often lack the necessary
Robert Putrus, CISM,
CFE, CMC, PE, PMP, is
an IT professional with
25 years of experience in
senior management roles,
information systems and
management of professional
He is experienced in the
deployment of various
and standards. Putrus has
written numerous articles and
white papers in professional
journals, some of which have
been translated into several
languages. He is quoted in
publications, articles and
books, including those used
in masters of business
administration programs in
the US. He can be reached at
A Nontraditional Approach to Prioritizing and
Justifying Cybersecurity Investments
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article: