Explore methods for calculating and communicating the return on investment of cybersecurity programs. Content addresses cost-benefit analysis, breach cost avoidance, productivity gains, and frameworks that help justify security spending to executives and boards.
posts
Your Board Doesn't Care About Completion Rates I sat in a meeting last year where a CISO proudly reported a 97% training completion rate. The board nodded politely. Two months later, a single phishing email led to a credential theft incident that cost the organization $2.3 million
In 2024, IBM's Cost of a Data Breach Report pegged the global average breach cost at $4.88 million — the highest ever recorded. That same report found that organizations with security awareness training programs saved an average of $258,629 per breach compared to those without. Yet when
In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered the company's IT help desk with a single phone call. The attackers didn't exploit a zero-day vulnerability. They exploited a person. That incident should make every security leader ask a blunt question:
When MGM Resorts got hit with a devastating social engineering attack in September 2023, it wasn't a firewall failure. It wasn't a zero-day exploit. A threat actor called the help desk, impersonated an employee, and walked right through the front door. The estimated cost? Over $100
In 2020, a mid-sized healthcare provider invested $250,000 in a security awareness program. Twelve months later, the CISO couldn't answer one question from the board: "Is it working?" No baseline measurements. No tracking. No defensible data. That CISO is now updating a résumé. I'
When the SEC fined SolarWinds' CISO for misleading investors about cybersecurity practices, it sent a shockwave through every security department in America. The message was unmistakable: vague assurances about security posture aren't enough anymore. Boards, regulators, and cyber insurers now demand evidence. That's why security
Your Training Program Is Worthless Without Proof In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to the help desk. The company almost certainly had a security awareness program in place. So did Caesars Entertainment, which paid a
Your Board Doesn't Care About Completion Rates I sat in a boardroom last year where a CISO proudly presented a 97% training completion rate. The CFO's response: "So why did we just pay $2.3 million to recover from a ransomware attack?" That question
Your Training Program Might Be Failing — and You'd Never Know In 2024, IBM's Cost of a Data Breach Report pegged the global average breach cost at $4.88 million. Organizations with security awareness training and incident response planning cut that number dramatically. But here's
