The Code establishes baseline cybersecurity requirements across the AI lifecycle and is expected to inform changes to international standards through the European Telecommunications Standards Institute (ETSI). To assist organizations in applying its principles, the government has also released an Implementation Guide, which expands on specific security measures. 

HackerOne offered input during the development of this Code, emphasizing the importance of independent security testing, AI red teaming, and vulnerability disclosure programs (VDPs).  HackerOne’s recommendations, submitted during DSIT’s Call for Views on AI Cybersecurity, highlighted the need for external validation, proactive security testing, and structured vulnerability reporting mechanisms to improve AI security.  

Who is the Code for?

The Code applies to developers, system operators, and data custodians involved in the creation, deployment, and management of AI systems. It sets out security measures covering five key phases: secure design, secure development, secure deployment, secure maintenance, and secure end of life. AI vendors who solely sell models or components without direct involvement in their implementation are not directly in scope but remain subject to other relevant cybersecurity standards.  

How can organizations align with the Code?

The Code introduces 13 principles to safeguard AI from cyber threats, including data poisoning, adversarial attacks, and model exploitation. Organizations that choose to follow the Code need to integrate AI security into system design, assess risks throughout the AI lifecycle, and maintain transparency with end-users. Key provisions include: 

• Ensuring AI security awareness among employees and stakeholders.
• Implementing supply chain security measures to prevent vulnerabilities in AI models.
• Conducting adversarial testing to proactively detect security weaknesses.
• Providing timely security updates and clear communication to end-users. 

How does the Code address Independent Security Testing and Disclosure for AI?

A key focus of the Code is the requirement for independent security validation systems. Developers must ensure AI models undergo security testing before deployment, and the Code stresses the importance of involving independent security testers with expertise in AI-specific risks.

Additionally, the Code mandates the creation and maintenance of a Vulnerability Disclosure Program (VDP) for AI systems. This program is vital for enhancing transparency, allowing security flaws to be responsibly reported and mitigated. 

The Implementation Guide further clarifies these expectations, emphasizing proactive security practices such as red teaming and adversarial testing. These techniques are essential for detecting vulnerabilities before they can be exploited, and the Guide offers practical steps to integrate these evaluations into the AI lifecycle. By following both the Code and the Implementation Guide, organizations can ensure a comprehensive, proactive approach to AI security – focusing on external validation, transparency, and ongoing testing to safeguard systems at every stage. 

What’s the likely impact?

The Code signals a shift toward stronger regulatory expectations for AI security. As cyber threats targeting AI continue to evolve, organizations that adopt these security principles will be better positioned to comply with future standards and regulations, protect their users, and build trust in AI technologies. 

The UK government has stated its intention for this Code to serve as the foundation for future ETSI standards, ensuring a unified and internationally recognized approach to AI cybersecurity. The government also plans to update the Code and the Guide to mirror the future ETSI global standard, reinforcing the alignment with international best practices. 

How HackerOne can help:

Organizations navigating AI security challenges need robust testing and vulnerability management solutions. HackerOne helps organizations align with the Code’s security requirements through: 

• Independent AI security assessments that align with Principles 9.1 and 9.2.1.
• Vulnerability Disclosure Programs (VDPs) to help meet Principle 6.4.
• Red teaming and adversarial testing to identify weaknesses before they can be exploited as mentioned in the Implementation Guide, sections 9.2, 9.2.1, and 11.2. 

Contact HackerOne to learn more about securing your AI systems. 

On January 31, 2025, the UK government published its AI Cyber Security Code of Practice, a voluntary framework aimed at mitigating security risks in AI systems. 

That’s why worldwide spending on information security reached an estimated $180B in 2024, per industry analyst Gartner. 

Still, translating the benefits of cybersecurity into dollars and cents has long been a challenge for security teams. This makes optimizing spending on security initiatives difficult because there’s no standard metric for comparing the impact of one versus another. It’s not because there isn’t quantifiable value. It’s because Return on Investment (ROI), the standard used for quantifying the value of an investment, doesn’t directly account for the benefits of cybersecurity measures.

Why ROI Doesn’t Cut It for Cybersecurity

We dive into more detail in our new paper, When ROI Falls Short, but here’s the net of it: the formula for calculating ROI requires a “revenue” or “net profit” value to get the result. Cybersecurity initiatives typically don’t directly generate revenue or a net profit. 

Instead, these initiatives act as a safeguard, preventing potential losses such as data breaches, business downtime, ransomware attacks, reputational damage, and loss of customer trust. As such, an ROI metric that considers profits gained but not losses avoided fails to adequately capture the true impact. 

Why Return on Mitigation (RoM) Over ROI

Security leaders need a metric that reflects the true value of cybersecurity, and ROI isn’t it. Return on mitigation (RoM) redefines how we calculate ROI for cybersecurity. Instead of focusing on net profit, RoM measures “mitigated losses”—the financial damage avoided through proactive security measures.

If you take a closer look, you’ll notice that the RoM formula is the same as ROI, except instead of "revenue," we use "mitigated loss":

By factoring mitigated losses instead of revenue, security leaders see a much clearer picture of the financial impact of their cybersecurity efforts on the bottom line—putting a dollar amount to the losses they’ve prevented.

You can see more detailed examples of how RoM is calculated in our ebook, using the cost of breach data, offensive security program results, and exploitation likelihood, or test it yourself with our light RoM calculator. 

The Call for RoM Standardization

For security leaders, adopting RoM bridges the gap between the theoretical value of cybersecurity testing and the reality of loss prevention. It empowers them to more accurately justify security budgets, communicate value to stakeholders, demonstrate quantifiable risk reduction, and prioritize their resources more effectively—all through a common financial language.

Now imagine if that common language was also common within an organization and across cybersecurity. The standardization of RoM would provide significant benefits to the entire security community. Establishing a common framework for calculating and communicating the financial impact of cybersecurity investments would enable organizations to make more informed decisions about their security strategies. 

When everyone can calculate loss prevention with the same metric, they can benchmark with peers and across industries and better evaluate vendors and solutions. Meanwhile, it also provides greater support for regulators and cyber insurers, who need clear, methodical financial loss data to design regulatory standards and assess the adequacy of cybersecurity investments. 

Conclusion

If you read my recent blog, you’ll remember my stance heading into this year: the fight against cyber threats will not be easy and we’re in this fight together. The standardization of RoM is just one practical way organizations can come together in cybersecurity; by implementing an effective, common method for measuring the value of cybersecurity investments, we’re one step closer to taking down cyber threats on a universal scale.

Cybersecurity initiatives provide financial value to organizations. Board members and non-security executives know this to be true. 

When security incidents from software defects happen, retrospectives often tell the story of heroic remediation in the form of a few hundred lines of code (or less) but maximum organizational disruption: all-hands-on-deck root cause investigations and executives working 24/7 to control fallout. 

This reality has been the main drive behind the adoption of “Shift-Left” security—a proactive approach that integrates security testing like static application security testing (SAST) and software composition analysis (SCA) early in the development process. 

Common pre-production security controls in a software development lifecycle (SDLC).

Catching and fixing security vulnerabilities before they reach build, test, release, and deployment—before they even exist seems easy to justify, right?

Turns out it’s more complicated than that:

1. Return on Investment (ROI) arguments rely on speculation and fear: cost savings by avoiding unexpected losses.
2. Business priorities typically focus on revenue-generating activities. The prospect of adding any extra step to pre-merge workflows when a company is already behind on deadlines is a tough pill to swallow.
3. It’s hard to prove #1, very easy to prove #2.

Here, security leaders find themselves in an all-too-familiar paradox: if an ounce of prevention is worth a pound of cure, how is it so difficult to prove?

Rethinking return on security investment

Is a “return” on loss prevention the right justification for security investment? How do we quantify how well an organization outsmarts cybercriminals? How many organizations budget for expected data breaches as part of fiscal year planning?

Cybercriminal activity isn’t a predictable variable in business operations, but risk mitigation is. A more accurate framework for investment decision-making is return on mitigation (RoM)—the financial impact of preventing breaches, regulation penalties, and reputational damage.

Using the RoM model, we can estimate business impact for pre-attack mitigation. Imagine your team catches a high-severity SQL injection vulnerability during routine testing. Based on the $5.45M average cost of a data breach, its high severity, and exploitation likelihood (5.5%), the estimated mitigated losses is about $149,875. 

For more, check out HackerOne’s RoM calculator to see how much financial damage your security investments prevent.

The true cost gap

Another important factor in investment justification is the delta between cost of remediation pre-production vs. post-production. 

When a vulnerability is caught in production, fixing the code is a resource-intensive process that requires time and work from both security and engineering teams. How is the vulnerability possible? How and when did it get there? What development team, if any, is working on the application now? If we send the vulnerability report to the developers working on it, will they know how to fix it? Will attempt #1 to fix the vulnerability work? What about #2?

The below image from CISQ provides a good visual of how it plays out in practice: a trial-and-error feedback loop.

Dollar signs indicate where most effort/cost is concentrated.

At HackerOne, we see a median resolution lifecycle of 34 days for vulnerabilities reported to penetration tests. 

Even when a patch involves an update to just a few lines of code, determining what lines of code can be like looking for a needle in a haystack. Fixing vulnerabilities discovered in production is roughly 30 times more expensive than finding and fixing them during development.

Source: NIST: The Economic Impacts of Inadequate Infrastructure for Software Testing

Fixing a vulnerability in coding/unit testing is more cost-effective because the context is immediately known, and the complexities involved in writing the code change have already been solved (e.g., navigating existing technical debt to “get it to work”). When a developer is tasked with a vulnerability report to fix, it creates an unplanned cycle of repeating this work. All of the context and technical debt navigation needs to be re-learned. In other words, code patches—even the ones with just a few changed lines of code—take a lot longer than they look.

How big of a problem is this? Just ask your engineering team. Developers spend 13.5 hours a week dealing with technical debt, which is the biggest obstacle to making changes to existing code bases and has an estimated economic impact of $1.52T in the US alone.

A majority of development teams already have a quality assurance stage built into their workflow: pull request review and approval. For most development teams, proposed changes remain in this stage for 47-50 hours, during which defects are caught and fixed prior to merge. During this stage, developers catch and fix about 3.4-4.7 defects per 1,000 lines of code with the help of peer review and automated tooling.¹ These existing development practices provide an opportunity for a non-invasive security policy that, if thoughtfully executed, avoids duplication of development effort and minimal impact on velocity. Ideally, none.

Revisiting our example of an SQL injection vulnerability caught in production, let’s assume the root cause was an implementation where a JavaScript template string was used instead of a parameterized query which would have escaped values properly. If the developer writing the code was informed with the right guidance in a pull request review, it would have taken them 30 minutes to address. Caught in post-production testing, perhaps months later, expect it will take 15 hours of triage, troubleshooting, translating application security terminology to software engineering terminology, etc.

Determining cost impact can be more directly measured based on known operational expenses and varies between organizations. For this example, let’s say the cost is $100 per hour.

Post-production remediation: $1,500

Pre-production remediation: $50

Total operational cost savings: $1,450

This brings overall financial impact to $151,325 when added to return on mitigation ($149,875). Or, 3,027 times cheaper. “An ounce of protection is worth a pound of cure” may be an understatement.

Conclusion

Whether caught pre-production or post-production, catching and fixing vulnerabilities before cybercriminals can exploit them prevents enormous losses. Forecasting business value is best achieved by using a return on mitigation (RoM) framework. The additive business value in pre-production code security comes from significantly lower remediation costs.

There’s no one-size-fits-all methodology for metric-based objectives to determine a “shift-left” security program’s success, but a good place to start is the volume of true positive reports received over the 12 months with a reasonable “prevention” rate prediction (i.e., expecting 40% fewer new true positive reports matching target CWE categories).

How HackerOne is reinventing security for developers

While there’s a clear investment justification for security in development, efforts to “shift-left” often backfire, creating frustration for developers, an unhealthy relationship between engineering and security, and overly strict friction inhibitors on velocity. HackerOne has been on a mission to understand why “shift-left” security isn’t working and to build a methodology-based solution that gets it right.

HackerOne PullRequest is a true, developer-first approach to code security. We combine AI with expert human manual code review. The output – remediation guidance embedded directly in the developers’ existing workflow – empowers them to write secure code and proactively address security risks in the tools they already use. With a developer satisfaction rate of over 96%, HackerOne PullRequest is trusted by development teams because it’s actionable, fast, and self-learned.

¹ Source: HackerOne PullRequest Benchmarks sample of 3,000 organizations and 115,000 repositories spanning Small, Mid-Sized, and Large development team size cohorts.

There’s no debate that catching and fixing security flaws in development saves time, money, and stress.

Over the past 8 months, Luke (hakluke) Stephens and I have spoken with 10 security executives, surveyed over 550 security professionals, and incorporated insights from HackerOne’s CISO Advisory Board. A key challenge emerged repeatedly in our conversations: security leaders need a better way to measure and justify their investments—one that accounts for the financial impact of mitigated risks.

In this blog, we are excited to announce our white paper on Return on Mitigation (RoM), a framework we designed to quantify the financial impact of security programs in a way that speaks to business leaders.

Why traditional ROI falls short in cybersecurity

Organizations that apply traditional ROI models to cybersecurity often focus on cost-cutting measures like reducing headcount or operational expenses. However, this approach fails to account for security’s primary function: risk reduction and breach prevention.

As one CISO put it in our research:

"Security is often viewed as a cost center, not a revenue driver. ROI doesn’t work because you can’t always show direct returns—it’s about preventing damage, not generating income.”

By nature, security efforts protect revenue, brand reputation, and operational continuity by preventing financial losses rather than generating direct profit. Yet, these benefits are often difficult to quantify, making them harder to justify through traditional financial models.

Introducing the Return on Mitigation (RoM) framework

RoM offers a new way to approach cybersecurity justification by reframing security investments to avoid future losses—much like an insurance policy.

Instead of measuring revenue gained, RoM calculates mitigated losses. Instead of asking, "What revenue did this investment generate?" RoM asks, "What losses did we prevent by investing in cybersecurity measures?"

It does this by factoring in:

• The cost of a breach, using benchmarks like IBM’s Cost of a Data Breach Report
• The likelihood of exploitation, based on real-world vulnerability data we modeled on Verizon's Data Breach Investigations Report
• The cost of mitigation, including program investments and remediation efforts

By replacing traditional ROI’s “net profit” with “avoided losses,” RoM can concretely quantify cybersecurity’s financial impact.

The RoM Calculator: A practical tool for security leaders

One of the biggest takeaways from our research was that security leaders need more than theory—they need tools and models to run these calculations in real-world scenarios.

The first-of-its-kind RoM calculator we developed in this study integrates security program results, the likelihood of exploitation through the concept of Exploitation Likelihood Score (ELS), and industry benchmarks to calculate total mitigation savings. It provides organizations with defensible metrics for demonstrating the value of their security programs.

I had the opportunity to run countless real-world calculations on HackerOne customers to measure the financial impact of their security programs in the last 2 months. The results each time confirm that:

With RoM, it is now possible to demonstrate how every dollar spent on proactive security directly protects the bottom line.

A security leader at a global financial infrastructure provider describes it best:

“RoM allows me to justify a $300,000 investment against a potential $5 million critical breach. With this metric, I can show how mitigating vulnerabilities through continuous security testing prevents costly breaches and justifies spending.”

While the advanced RoM calculator is available to customers, we have also developed a light version that allows anyone to explore the concept and run their calculations using high and critical severity findings. 

HackerOne customers can run RoM calculations in real time

The RoM framework is now available to HackerOne customers, who can use the RoM calculator to measure their security investments in real financial terms.

With the HackerOne AI Copilot, Hai, customers can automate RoM calculations on every vulnerability submitted to the HackerOne platform. This means customers can instantly assess the potential financial impact of each vulnerability and prioritize mitigation efforts based on real risk data. By incorporating things like program history, industry benchmarks, and other key factors—such as assigned CVSS, CVE, or EPSS figures—we can bring in various dimensions to our analysis and make these assumptions as realistic, defensible, and actionable as possible, all within the HackerOne platform. 

And that’s just the beginning!

The future of RoM and how you can contribute

RoM provides security teams with a clear, quantifiable way to demonstrate their impact, making it easier to secure buy-in, budgets, and long-term investment in proactive security measures. However, for RoM to become a widely adopted industry standard, we need ongoing input from security professionals.

We’re actively refining RoM to ensure it remains a practical, defensible, and actionable framework for security investment justification. If you’d like to test the RoM calculator and provide feedback on how we can improve it, contact us (or message me on LinkedIn)— we’d love your insights.

To learn more, you can read the full white paper and join HackerOne’s webinar, “Quantify the Financial Impact of Cybersecurity with Return on Mitigation,” on March 12, 2025. In this webinar, we’ll discuss real-world applications of RoM and how you can use it in your organization!

How do you justify a cybersecurity investment? It’s a question every security leader struggles with. The problem is that the traditional Return on Investment (ROI) model simply doesn’t work in cybersecurity. Unlike traditional investments that generate direct revenue, security spending is all about risk reduction, breach prevention, and avoiding financial losses.

But how do you quantify the value of something that hasn't happened?

What Does DORA Regulate?

DORA applies to a wide range of financial entities operating in the EU, including banks, insurers, investment firms, and payment institutions, along with critical third-party service providers such as cloud and data providers. Essentially, any organization that provides key infrastructure for financial services will be required to comply with some or all of DORA’s operational resilience standards.

What Does DORA Aim to Achieve?

DORA’s primary goal is to enhance the digital resilience of the EU’s financial sector by ensuring that firms are well-prepared to handle and recover from Information and Communication Technology (ICT) disruptions. The regulation establishes a framework for cybersecurity and operational risk management across financial institutions, focusing on reducing the potential impact of cyber threats and system failures.

What Are DORA’s Security Requirements?

DORA mandates several key cybersecurity and operational resilience requirements for financial entities:

1. Risk Management Framework: Firms must implement comprehensive risk management practices to identify, assess, and mitigate ICT risks.
2. Third-Party Risk Management: Financial entities must ensure third-party service providers adhere to DORA’s security standards, including implementing particular contractual terms and conducting ongoing monitoring and due diligence.
3. Digital Resilience Testing: Firms are required to perform stress tests and regular pentests, in addition to threat-led penetration tests (TLPT) at least every 3 years, based on Regulatory Technical Standards (RTS) for TLPT expected to be adopted by the European Commission in early 2025.
4. Incident Reporting: DORA mandates a clear process for reporting major ICT-related incidents to regulators within specified timeframes.
5. Information Sharing: The regulation does not require but encourages entities to share cyber threat intelligence to bolster collective cyber security efforts across the financial sector.

How Does a Covered Financial Entity Demonstrate Compliance– and What Happens if it Doesn’t Comply?

Covered entities must ensure they meet DORA’s security standards by implementing appropriate risk management practices, third party oversight, and resilience testing. While fines or criminal sanctions are not included in the DORA regulation, individual EU Member States can institute penalties and criminal sanctions in their national laws. These may include fines of up to 2% of an entity’s total annual worldwide revenues or up to 1 million euros and even steeper penalties of up to 5 million for critical third-party ICT providers. Entities must also submit detailed reports outlining their efforts to manage ICT risks, test their resilience, and respond to cyber incidents.

When Do These Requirements Take Effect?

DORA entered into force on January 16, 2023, and the full compliance deadline was January 17, 2025.

What's the Likely Impact of These New Requirements?

DORA’s implementation will likely enhance the overall security posture of the EU financial sector by requiring financial entities to adopt stronger risk management frameworks and resilience practices. The regulation will also increase transparency, as firms must disclose to competent authorities information about their cybersecurity measures and third-party relationships. Overall, DORA aims to ensure that financial institutions are better prepared to handle emerging cyber threats, ultimately protecting consumers and the financial system as a whole.

We Might Be Subject to These New Requirements—What Should We Do?

With the January 17, 2025 deadline already passed, financial entities should review their existing cyber security policies and practices to ensure they meet DORA’s requirements.

HackerOne offers a comprehensive suite of security solutions designed to help financial services organizations meet DORA compliance requirements. Our portfolio includes CREST-accredited Pentest as a Service (PTaaS), Code Security Audits, Bug Bounty programs, and Spot Checks. This integrated approach aligns with DORA's mandates for regular and comprehensive ICT risk assessment and management, as outlined in Articles 24 and 25.

Contact HackerOne to learn more.

The Digital Operational Resilience Act (DORA), which came into force in the European Union on January 17, 2025, establishes comprehensive requirements for the financial sector to strengthen its resilience to ICT-related disruptions, including cyberattacks and technical failures.

Facing the Reality: Cybersecurity’s Mounting Pressures

The cybersecurity landscape is evolving at an unprecedented pace. This past year, breaches resulting from exploited vulnerabilities grew 180%, and at HackerOne, we’ve seen a 12% jump in vulnerability reports across our customer programs. Attack surfaces continue to expand, with AI systems as the new frontier and increasingly interconnected systems. Threat actors are growing in number, and boldness and attack techniques increasing in sophistication. And, as the headlines remind us all too often, breaches are not just a possibility but a probability.

It's natural to feel hopeless in the face of these developments. But within these challenges lies an opportunity to build something stronger than ever before.

Finding Opportunity in Adversity

Every challenge we face brings with it a silver lining: an opportunity to innovate, collaborate, and grow stronger. Over the past year, we've witnessed the transformative power of resilience. Organizations are increasingly adopting proactive security measures and leveraging cutting-edge tools like AI to detect and respond to threats faster than ever before. At the same time, crowdsourced cybersecurity programs are gaining momentum, demonstrating greater adoption and effectiveness. In fact, more than one-quarter of valid vulnerabilities found through HackerOne programs are rated as critical or high severity. This highlights the value of collaboration with security researchers—helping organizations uncover and address vulnerabilities before they escalate into crises. 

This year, I encourage you to consider how these opportunities can apply to your organization. Where is there potential for you to be more proactive in your security strategy? Which solutions and partnerships offer the highest return in strengthening your security posture? And perhaps most importantly, how do you, as a leader, reframe adversity as a catalyst for progress?

The AI-Human Alliance in Cybersecurity

At the heart of modern cybersecurity strategies lies the powerful synergy between human ingenuity and cutting-edge technology. While tools like AI have revolutionized how we identify and address vulnerabilities, their effectiveness hinges on the expertise and guidance of the people behind them. Your teams—the analysts, engineers, and researchers working tirelessly to defend against threats—are, without a doubt, your greatest asset. Equally invaluable are your partners, whether they be vendors, security researchers, or other collaborators who bring diverse perspectives and specialized knowledge to the table.

This blend of AI-driven efficiency and human insight is essential for staying ahead of increasingly sophisticated adversaries. It empowers us to adapt, innovate, and uncover even the most elusive vulnerabilities before they become threats. With AI, we can process vast amounts of data at speeds that would be impossible for humans alone, spotting patterns and anomalies that might otherwise go unnoticed. However, it is human expertise that ensures these tools are applied strategically, interpreting complex data in context and making nuanced decisions that automated systems alone can't achieve. Together, they form an agile and responsive defense system capable of outpacing the evolving tactics of cybercriminals.

A prime example of this approach in action is Amazon and AWS, who have been leveraging this combination in their security program with HackerOne for over eight years. In that time, they’ve received over 9,000 valid reports and paid over $30 million in rewards and bonuses to 6,000 security researchers. Each report from a researcher helps Amazon raise the bar on security, providing unique perspectives on their entire landscape and uncovering vulnerabilities that might otherwise go unnoticed. This partnership exemplifies how human ingenuity, paired with the right platform, can transform how organizations tackle cybersecurity challenges. You can hear more in this short video. 

As you look to 2025, I encourage you to assess the talent and technology powering your charter. Build a culture that empowers your teams to leverage AI-powered capabilities while recognizing where human insight remains essential. Foster trust and resilience, and seek out new perspectives and partnerships. Sometimes the best solutions come from unexpected places.

Let’s Build a Resilient Future Together

In 2025, let’s shift the narrative. Instead of focusing on what we’re fighting against, let’s focus on what we’re building together: a more secure, more resilient digital world. Let’s embrace the tools and partnerships that empower us to stay ahead of threats. Let’s champion a mindset where security is seen not as a burden but as an enabler of innovation and trust.

At HackerOne, we’re committed to being your ally in this fight. We believe that no challenge is insurmountable when we work together and we’re here to support you every step of the way.

Closing Thoughts

To every CISO reading this: I see the challenges you face and the incredible work you do to overcome them. The road ahead won’t be easy, but we can navigate it together. You are not alone in this fight to build a safer internet. With the right mindset, tools, and partnerships, 2025 can be a year of meaningful progress for cybersecurity.

Here’s to a new year of resilience, innovation, and hope.

As we settle into 2025, I want to take a moment to reflect on the state of cybersecurity—not just as an industry but as a shared mission. For CISOs, the stakes have never been higher. Protecting your organizations against increasingly sophisticated adversaries, managing constrained budgets, and ensuring business continuity in an unpredictable world—it’s a daunting charter, and it can feel isolating. But I’m here to remind you: You are not alone.

However, in cybersecurity, quantifying net profit becomes significantly more complex due to the intangible nature of its benefits and the absence of direct revenue generation. Cybersecurity investments typically do not produce direct income; instead, they function as protective measures that prevent potential losses such as data breaches, business downtime, ransomware attacks, damage to brand reputation, and loss of customer trust. 

1. How do you assign value to risks associated with vulnerabilities?

A majority of security leaders in our survey expressed the following direct and indirect costs as important considerations when evaluating the risks associated with vulnerabilities:

% of Respondents

Assessing the risk of a vulnerability

Implication

82%

Emphasized the importance of customer trust and brand reputation in risk assessments

Non-financial aspects like customer trust and brand reputation are seen as essential when assessing cybersecurity risks.

77%

Rated compliance and regulatory implications highly in risk evaluations

Compliance with regulations and avoiding penalties are critical factors driving security investments.

84%

Highlighted operational impact as a key risk consideration

Organizations prioritize minimizing disruptions to operations when evaluating the importance of addressing security vulnerabilities.

Introducing Return on Mitigation (ROM): Proof of Cybersecurity's Profitability

Initially introduced by HackerOne in a SANS white paper, ROM is an ROI calculation that uses "mitigated losses" as the investment's upside instead of net profit. It's a simple but powerful shift in mindset that demonstrates how cybersecurity can be considered profitable for a business rather than a cost center.

2. How do I simplify cybersecurity's value in monetary terms?

One of the most compelling aspects of ROM is its ability to translate the benefits of cybersecurity into the most universally understood language: money. For executives and board members, especially those responsible for financial oversight, such as Chief Financial Officers (CFOs), the decision to invest in cybersecurity initiatives often hinges on a clear understanding of their financial impact. ROM enables cybersecurity leaders to express complex security concepts in terms that resonate with non-security stakeholders by attaching dollar values to both the risks and the benefits of cybersecurity measures.

How to use ROM to Justify Budget

ROM can help security teams justify their budget requests by quantifying the potential financial impact of mitigated risks. By showing how investments in tools, training, or personnel can prevent costly incidents, ROM turns abstract risks into clear financial metrics that resonate with executives and board members.

3. How do I quantify the intangible benefits of cybersecurity?

One of ROM's strengths is that the calculation allows the inclusion and quantification of intangible aspects of cybersecurity, such as reputation, customer trust, and operational stability. These factors, while not directly tied to revenue generation, have significant financial implications. For instance, a data breach can erode customer trust, resulting in churn and lost future sales. By assigning a dollar value to these potential losses based on factors like Customer Lifetime Value (CLTV) and projected churn rates, ROM transforms abstract risks into concrete financial metrics. This approach not only makes the benefits of cybersecurity investments more tangible but also aligns security initiatives with the financial language used in boardrooms.

How to use ROM to Prioritize Security Initiatives

ROM can help organizations prioritize security initiatives by focusing on those that offer the highest potential for mitigating financial losses. This ensures resources are allocated to the most impactful areas, improving the overall efficiency of the security program.

4. How do I secure budget approval?

ROM streamlines the budget approval process by providing security teams with a framework to build a compelling business case for their funding requests. By demonstrating how investments in security tools, training, or personnel translate to avoided costs and improved financial outcomes, ROM allows cybersecurity leaders to speak directly to the concerns of financial decision-makers, increasing the likelihood that security budgets will be approved.

How to Use ROM to Compare Investment Options

Organizations can use ROM to compare different security programs or initiatives based on their cost-effectiveness. For instance, the ROM for a bug bounty program could be compared with traditional penetration testing services to determine which approach yields a higher return in terms of risk reduction.

5. How do I align security initiatives with business objectives?

By nature, ROM supports the alignment of cybersecurity initiatives with broader business objectives. When security investments are framed as measures that protect revenue streams, maintain customer loyalty, and ensure operational continuity, they are more likely to be perceived as essential components of the company's strategic planning. All of these can be quantified and included in the calculation's "mitigated losses" parameter. ROM enables cybersecurity leaders to provide a compelling narrative that aligns with the organization's business objectives.

How to Use ROM to Improve Board Reporting and Stakeholder Communication

ROM provides a financial metric that translates cybersecurity benefits into terms that non-technical stakeholders understand. It can be used in board reports or presentations to demonstrate how cybersecurity investments contribute to the organization’s financial resilience.

6. How do I measure the impact of risk mitigation efforts over time?

ROM can be used as a metric to track the effectiveness of risk mitigation efforts over time. By calculating ROM annually or quarterly, organizations can assess how well their security measures are performing in terms of reducing potential losses.

How to Use ROM to Analyze the Financial Impact of an Incident

After a security incident, ROM can be used to assess the financial impact of the event and determine the effectiveness of mitigation measures that were in place. This analysis can inform future strategies to strengthen the organization’s security posture.

Read our blog to more about calculating ROM for your organization, and stay tuned for our upcoming white paper: Measuring What Matters: CISOs Guide to ROI Through Loss Mitigation.

ROI has long been the standard for measuring investment efficacy, but applying it to cybersecurity investments is challenging, as determining what to include as net profit and expenses is not straightforward. In traditional investments, calculating net profit is straightforward: you invest a certain amount of capital and expect a return that exceeds your initial spend, resulting in a clear net profit. For example, spending $100 on online advertising that generates $150 in sales yields a net profit of $50 ($150 in sales minus $100 in costs).

AS Watson Group knows this as well as anyone. As the world’s largest international health and beauty retailer, they are in charge of the security for a footprint that includes more than 16,400 stores in 29 markets, 5.5 billion customers, and 130,000 employees.  As part of their security strategy, they turned to HackerOne Bounty to help fortify their expanding digital presence and ensure that their assets remain as secure as possible as their attack surface changes.

We recently met with AS Watson’s Chief Information Security Officer (CISO), Feliks Voskoboynik, to learn how ethical hackers have helped with digital transformation and enabled his team to harden their attack surface. Read on to learn Feliks’ advice on including a bug bounty program as part of a security strategy, the lessons ethical hackers have provided, and what best practices he can share with other CISOs.  

Q: Tell us about AS Watson.

Feliks:

Established in 1841, AS Watson Group is the world’s largest international health and beauty retailer, with over 16,400 stores in 29 markets. In recent years, cybersecurity threats have been a growing concern that we cannot underestimate. The retail industry is a very attractive target for cybercriminals due to the retention of highly valuable customer information. We must protect this information from potential cyber threats, and that’s where cybersecurity comes in. At AS Watson Group, our IT Security team strives to continuously strengthen the cyber defense in the organization. Our ultimate goal is to keep our organization safe and secure to enable employees and customers to work and conduct business in a safe environment.  

Q: Do hackers help AS Watson with digital transformation goals?

Feliks: 

Every day, we strive to build a stronger international network and O+O (Offline plus Online / O plus O) platforms for customer connectivity. We focus on the O+O strategy, which makes seamless offline and online customer experiences. This digital transformation program induces a big attack surface for us, and our community of ethical hackers is helping us mitigate the risks and increase our security maturity. We wanted to have the possibility to invite a global hacking community because this is the easiest way to get top skilled hackers to assess the security of our assets.

Q: How do ethical hackers help identify vulnerability trends?

Feliks:

Several times, hackers helped us with different types of vulnerabilities related to e-commerce. The creativity of the findings increased the security awareness of our product and development teams to release secure software. Security researchers help us with testing new security tools, as well as the way we configure and deploy them. One example of this was when we wanted to roll out an anti-credential stuffing tool, and hackers helped us find the weak spots and mitigate them.

Q: How do ethical hackers help harden your attack surface? 

Feliks:

The creativity of hackers is key to hardening our attack surface. When we receive a creative proof of concept (POC) from a hacker, we can use that process to review and verify that the specific vulnerability (or a similar one) is not reproducible on new assets. This approach gives us insights into where potential vulnerabilities might be and led us to introduce new cross-checking activities as part of the investigation and remediation process to verify a single risk on multiple components, such as inherited code into new assets.

Q: How do you use vulnerability insights to train internal teams?

Feliks:

Specific findings of hackers enabled us to build a new secure code training program for our development teams. We monitor the trends of vulnerabilities and leverage them to build a training baseline to reduce the risks to our assets. The training program has helped us increase the quality of the code and reduce vulnerabilities. It’s also increased our prevention capabilities by shifting left as much as possible to secure the SDLC. We noticed a decrease in total valid reports over the years, and we lowered costs by remediating issues in live environments. 

Q: How do you report on the value of working with ethical hackers?

Feliks:

Considering our big attack surface, it’s a challenge to scale up penetration testing teams, even with third-party engagement. Our first KPI was on the resources we were saving compared to standard, time-boxed penetration testing activities. We also developed an internal KPI on vulnerability trends on specific brands, remediation, risk reduction, and more. With the community, you have many different areas of expertise compared to a single resource executing a time-boxed penetration test.

Q: What ROI do you expect to see from your bug bounty program? 

Feliks:

The ROI comes from the fact that we rely on HackerOne to find and deliver critical issues every day. Therefore, the ROI is that HackerOne finds issues daily.

Q: What advice would you give to other CISOs planning to start a bug bounty program?

Feliks:

Start with building a robust vulnerability management program to handle the reports properly and make the program scale. When you design the rules of engagement, you need to clearly understand the risks you want to prioritize and identify your risk appetite. 

When you start a program, you will engage a community that requires your continuous commitment. Hackers are like customers, and they require time and effort to establish and maintain a relationship. It is crucial to properly manage the program KPIs, time-to-response, time-to-bounty, etc., which requires a proper team to handle it. 

At AS Watson Group, we consider the community as an extension of our team. In addition, we organize and plan to do many different events and contests to keep the hackers engaged with our programs.

Q: What’s the biggest lesson you’ve learned from hackers?

Feliks:

Security is a journey, not a destination. No matter what you do or how secure your organization is, risks and vulnerabilities still exist. Engaging a community of researchers and ethical hackers ensures those with skills comparable to cybercriminals are testing your assets, which helps with findings and remediation and builds.

Learn more about AS Watson's bug bounty program, or get started on your own with HackerOne.

Retail and e-commerce brands are seeing significant growth due, in large part, to the digital transformation occurring in the industry. In today’s rapidly changing threat landscape, retailers are an attractive target for potential cybercriminals, with high amounts of customer data under their purview and a critical business need to deliver consistent customer experiences to the world’s shoppers.

Recently, Ohio Secretary of State Chief Information Security Officer Jillian Burner, and HackerOne Co-founder and Head of Professional Services, Michiel Prins presented at the 46th annual IACA Conference in Indianapolis to share the benefits of VDPs, lessons learned from Ohio Secretary of State’s program and to advise on easy ways that other agencies can follow Ohio’s lead to continuously improve security and protect constituent data.

Read on to learn the top five insights from Jillian and Michiel’s presentation.

1. A VDP is a must-have first step in cyber defense.

“Cybersecurity is on everyone’s radar, but not everyone knows all the specific details to ensure protection. We know bad actors are constantly looking for cracks in our defenses and applications. That's why it's so important for us to work with ethical hackers. They know what vulnerabilities the bad actors are looking for, and they know how to find them before the bad guys can,” says Jillian. 

For Jillian, working with ethical hackers is of utmost importance and helps her team defend against the unknown. With the help of ethical hacker intelligence, she is able to ensure business continuity by safeguarding digital systems, networks, and constituent data, while maintaining the excellent reputation that the agency is known for.

2. A VDP provides continuous watch over digital assets. 

In order to stay on the offensive, the Ohio Secretary of State knew that continuous security testing was one of the most important ways to help them keep up with changing security environments and stay ahead of threats. When they came to HackerOne, they were running external scans and receiving a weekly report, but after that, it was up to their small team to figure everything out. They knew they needed a more continuous approach, and they wanted to add human intelligence to their program. With 92% of ethical hackers saying they can find vulnerabilities that scanners cannot, Jillian’s team knew there could be blind spots. They weren’t willing to risk it.

“Implementing the VDP helped us triage and supplemented the internal team we were building. We also knew that the federal government was mandating VDP policies for their agencies, and we wanted to be on the forefront of embracing that security policy for our own constituents,” says Jillian. 

The results to date confirm the success of the program. In the three years since the Ohio Secretary of State launched their VDP, ethical hackers have helped identify dozens of valid vulnerabilities, several of which were classified as critical or high. 

3. Relationships with ethical hackers bolster your security. 

The main goal for Jillian’s team was to get visibility into any potential vulnerability in order to stay ahead of what the bad actors might be doing. 

“We know the bad actors constantly scan us, so we also know we need the good guys constantly looking at our environment. The key for us is that it’s from an outside stance, not internal, where resources can get pulled in too many directions.”

Having a formal policy to give ethical hackers a way to contact the right people at the Ohio Secretary of State should they find a vulnerability was the first step. From there, creating a Safe Harbor statement and sharing rules of engagement helped them kick off a seamless integration with the global hacker community. Another benefit of the relationship was that by taking a public, proactive, continuous approach, they were able to build deeper trust with their constituents. 

4. Objections might arise - but they can be overcome.

Ohio Secretary of State’s cybersecurity approach establishes a culture of trust and collaboration. Security teams from the public and private sectors have long understood the value ethical hackers can provide, but non-security team members may voice concerns about inviting ethical hackers to test their security. You can overcome these concerns through education, awareness building, and the creation of a detailed strategic plan. 

As Jillian says, “We don’t know what we don’t know. Scanners & automation can never provide what human intelligence can. We’re asking researchers to find vulnerabilities that already exist before the bad actors find them. ” 

Some of Jillian’s recommendations for gaining internal buy-in and launching a successful program include starting small and growing the program after you understand your organization’s security journey. As your security maturity increases, she recommends moving from a VDP to a bug bounty program in order to bring more attention and increase engagement from ethical hackers. For Jillian, finding a trusted partner like HackerOne allowed her to gain advice from an industry expert and be confident in the success of her program. 

There may be some hurdles to overcome, including the procurement process and thresholds, so it’s helpful to understand what those processes are and inform your VDP partner so they can help navigate through the sales process. 

It’s also crucial to help non-security team members understand the benefits of engaging ethical hackers by connecting them with other agency leaders like Jillian, whose team is already actively engaging with ethical hackers. 

5. Safeguard your digital assets around the clock with ethical hackers

“There’s comfort gained knowing that we have help to find things that are difficult to find and knowing that ethical hackers are supplementing our scanning 24/7. It helps us sleep at night,” says Jillian. 

Ohio Secretary of State has seen many benefits to their cybersecurity strategy since implementing their VDP, including seeing improvements to their internal change management processes.  They’ve seen good engagements with the hacker community as well.  

“The quality exceeded expectations,” says Jillian. “Some of their reports and reproduction steps have helped us do things that would be really difficult otherwise. We have one anchor researcher, in particular, with a lot of knowledge and skills that we don’t have in our office.” 

VDPs remain a best practice, with the federal government adopting and mandating them, but Jillian sees them as a no-brainer. 

“VDPs add another control to help organizations stay ahead of threats, ensure business continuity and provide reputational defense,“ says Jillian, “The last thing you want to do during an election cycle or filing deadline is to see a vulnerability exploit!”

As the Ohio Secretary of State plans for the future, they look to expand their VDP into a bug bounty program to gain more engagement and attention to their environments. They also plan to continue to improve their internal change management alongside their vulnerability management programs. Ultimately, they look to provide more formalized reporting, with a goal to educate their internal teams and continue to preemptively identify and address vulnerabilities to keep constituent data protected. 

–

Click here to learn more about the Ohio Secretary of State’s VDP

Learn more about Vulnerability Disclosure Process here

See how other state and federal agencies work with ethical hackers here

In an effort to reduce cybersecurity risk, the Ohio Secretary of State became the first Secretary of State to launch its Vulnerability Disclosure Program (VDP) in 2020. To date, the Ohio Secretary of State’s VDP has helped them uncover vulnerabilities and improve the efficacy and efficiency of their internal cybersecurity team.

In our web event “Getting Vulnerable”, we brought together program managers Jill Moné-Corallo from GitHub, Garrett McNamara from ServiceNow, and Ansgar Pfeifer and Matthew Bryant (aka Mandatory) from Snap, along with top hackers from GitHub and ServiceNow’s programs @rijalrojan and @man4bob. We welcome you to view the webinar on-demand here or read our key takeaways below.

Key Takeaways for Program Managers:

Communication and Engagement are Critical.

Hackers emphasize the importance of clear and consistent communication to keep them engaged - and a sustained decrease in responsiveness can cause hackers to stop spending time on a program. Understanding the motivations of hackers (reputational, monetary, etc.) can help incentivize participation, but communication is vital in ensuring both parties get the most out of the relationship. Best practices include direct discussions about specific bugs, providing a reason when reports are downgraded in severity, maintaining a regular dialogue with the hackers in your program, and fostering opportunities for top hackers to meet program managers at events.

• “The main reason I’ve decided to leave programs in the past has been the communication side of things. If the platform or product is challenging to hack on, I will always love hacking on it, but if the communication and triage times get worse, I tend to slow my reporting. Sometimes people leave a company and a new person comes in and changes how they triage and respond to hackers, and if it changes drastically I will leave.” – @rijalrojan
• “It’s good to hear some validation that the communication side is as important as we say it is internally. There are very similar mindsets between everyone involved - the people triaging reports and the hackers submitting them.” – Mandatory, Snap

Regular Evaluation and Adaptation of the Program Keeps Hackers Engaged.

In a world with thousands of bug bounty programs, hackers get to choose where they spend their time. To stay competitive and attractive to hackers, program managers should continually analyze their vulnerability trends, their bounty table, and how they compare to other programs. GitHub, ServiceNow, and Snap highlighted exercises like expanding scope based on mergers and acquisitions activity, raising rewards over time as low-hanging vulnerabilities are picked off, and running promotions to align with product releases or newly discovered vulnerabilities.

• “We do a quarterly review and look at trends in our program, and we also review against other programs to make sure that we are staying competitive.” - Jill Moné-Corallo, GitHub
• “Something we’ve done in the past is to create promotions where we add new things to our scope or pay a bonus for certain vulnerabilities like Log4j. We’ve seen a high rate of success and an increase of submissions related to those efforts.” – Ansgar Pfeifer, Snap

The Importance of Disclosures and Reputation.

Most program managers and hackers view public disclosure as a win-win situation: the disclosing researcher gains recognition for their work, and the company gets free advertisement for their bug bounty program. Collectively, the emphasis is on creating an environment of trust where hackers feel comfortable to disclose their findings in collaboration with the program managers, and where companies see disclosure not as a highlight of their flaws, but a testament to their security posture. This is one characteristic that makes the cybersecurity realm so unique - even industry competitors share vulnerability intelligence, in hope of making the entire internet a little safer.

• “I love doing blog posts for fun or exciting vulnerabilities that I find. With GitHub, the vulnerability I found in December was exciting because it ended up impacting the GitHub platform itself. I asked the GitHub team and got their permission in April to disclose it. It helps from the reputational and brand point of view as a hacker, to showcase the vulnerabilities you’re finding.” – @rijalrojan

Key Takeaways for Hackers:

Actionable Reports Are Better for Everyone.

Hackers that provide actionable vulnerability reports can position themselves as long-term partners for program managers. Ensuring your reports are detailed and easy to understand helps your reports get triaged, remediated, and rewarded quicker. Best practices are to include all the necessary details, clear formatting, videos, or any other information that makes it simple for the program team understand how to reproduce the hacker's actions. Finally, when a hacker can dictate the impact of the bug and how a malicious attacker could abuse it, it helps the program manager defend the severity score internally.

• “You as the hacker know what you're doing on the other side of the screen. We're trying to piece together your process with what you give us in the report. Make it visually easy for us to follow your steps to reproduce the bug. Load us up with any and all detail you can give us.” – Jill Moné-Corallo, GitHub
• “When writing a report, don’t leave anything out. When we’re reading each report, we’re trying to determine the impact of the bug if a malicious person abused it. If the researcher can clarify ahead of time that this report is for an IDOR, I tested it like this, enumerated the IDs like that, here was my HTTP request, then we can assess the impact quickly and reward bounty on triage.” – Mandatory, Snap

Build Trust with Program Managers.

Despite the trend of “zero trust” buzzwords, this industry relies on trust. Hackers can build trust with program managers by communicating clearly and professionally, staying within scope and policy, and connecting with program managers at events and conferences. Program managers are often looking for anchor hackers who display the above characteristics, and these hackers are the first choice for VIP or special access programs.

• “Another thing we’re doing with some of our most helpful researchers is to give them premium accounts for new technologies we’ve acquired that we want to add to the bounty program scope. There’s a little logistical lift to get that going, but we have good data on who’s really active on our program and who is informed on our platform technology, which is a great place to start for us and for the researchers.” – Garrett McNamara, ServiceNow
• “ServiceNow actually gave me an opportunity to meet the team back in 2019 at a conference in Las Vegas. It was wonderful meeting with the team and I learned a lot from them.” – @man4bob

Templates Enable Efficiency.

Nuclei templates emerged from this conversation as an unexpected takeaway, both for hackers and for program managers. From the hacker side, these templates make it simple to document their work and test each bug across a wide range of hosts. For program managers, receiving a report that includes a template or script enables easier reproduction of the bug across their environment. With both sides of the table speaking a similar language (YAML, in this case), reproduction and bounty payout can happen faster.

• “There were cases where I found multiple hosts to be vulnerable in slightly different ways. So each host was disclosing admin API endpoints without authentication, and there was a specific way I was identifying all those at scale for that company. I ended up attaching a Nuclei template and a script I wrote to auto-exploit the vulnerability and then write a report for me. The template and script I provided helped them find all the instances of that vulnerability in their environment.” – @rijalrojan

This conversation between hackers and bug bounty program managers illustrated the importance of communication, reputation, and adaptability in this field. We are immensely grateful to all the participants for their candid reflections, and we hope that this discourse will encourage further collaboration and exchange of knowledge between hackers and program managers. Our final takeaway is this evergreen quote from Jill Moné-Corallo: “At the end of the day, we're all humans on each side of the computer.”

In recent years, HackerOne has brought hackers and customers together more frequently. Bug bounty and pentests are where these two parts of the HackerOne community have historically met, but fostering open conversations outside of paid engagements has further reinforced the sense of community and collaboration that HackerOne embodies.