Article

How to Measure the ROI of Your Security Budget

As a business leader, it’s crucial to make data-driven decisions when investing in new security products.

It may feel safer to continue to throw money at security to help protect against bad actors, but new security products can frequently do more harm than good. This harm can result from alert fatigue, over-complicating remediation processes, or simply a breakdown in communication between departments.

And according to Gartner’s 2019 Security and Risk Management Survey, with 82% of CISOs responsible for business-level metrics like ROI, it’s increasingly important to justify the costs that a security budget pulls from the rest of the company.

Security is just another investment — it’s a cost that companies choose to pay out in the hopes it will save them the damages associated with a breach later on. But this is only worth doing if the cost of the security product truly saves the company money. 

As such, it’s a good idea for companies to consistently measure their security investments’ ROI to ensure they are still worthwhile. However, this can be incredibly difficult to do — how do you calculate the cost of a breach you successfully prevented? 

Using our ROI calculator below, you can plug in a few simple metrics about your company’s security program and find out if it saves you more money than it costs. You can use our auto-populated metrics based on industry averages if you don’t have the numbers handy for you. 


In this blog post, we’ll explore our method for measuring the ROI of new security products based on several key variables. This method will help you determine whether a tool is worth paying for or is simply a superfluous routine cost. 

Calculating the cost of a vulnerability

To begin, we’ll calculate the cost per engineer per day. Using the average salary per engineer of $126,000 (source: Built In) and breaking that down to cost per pay period of $4,846.15, assuming 24 pay periods per year, we can determine the cost per day per engineer is $346.15.

Next, we’ll determine the cost per engineer through a vulnerability remediation period by multiplying the cost per engineer per day by the number of days to remediate a vulnerability, which we’ll assume to be 205, which is the average for critical vulnerabilities (source: ZDNET). 

This calculation gives us a cost per engineer of $70,961.54 through the 205 days. To find the total cost of a vulnerability, we multiply the cost per engineer through the remediation period by the number of engineers involved.

Measuring the ROI of new security products

Once we have the cost of a vulnerability, we can use that information to measure the ROI of new security products. By comparing the cost savings from reduced vulnerabilities to the cost of the security product, we can determine if the investment is worth it.

For example, if a new security product costs $50,000 per year and requires a single engineer to maintain, your total investment is $176,000 per year. Assuming it takes 5 engineers to fix a vulnerability, each vulnerability it reduces, saves you $178,807.69, resulting in an ROI of 101.60%. This ROI means the investment has paid for itself and generated a profit.

How does this help?

Budgeting for cybersecurity is a little like insurance. However, unlike insurance, your likelihood of realizing value from your cybersecurity investment is high. According to the 2022 Verizon Data Breach report, there were 14 confirmed data breaches a day in 2021, resulting from 23,896 incidents.

It’s hard to calculate the costs of something that has yet to happen or has yet to happen. Hopefully, this tool makes it easier to put together the numbers. Once you understand the fundamentals of measuring the budget’s ROI, you can optimize and reduce costs. 

Sign up for our newsletter below to get part II, where we’ll discuss how to take the numbers from the ROI calculator and improve them over time.

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.