That’s why worldwide spending on information security reached an estimated $180B in 2024, per industry analyst Gartner. 

Still, translating the benefits of cybersecurity into dollars and cents has long been a challenge for security teams. This makes optimizing spending on security initiatives difficult because there’s no standard metric for comparing the impact of one versus another. It’s not because there isn’t quantifiable value. It’s because Return on Investment (ROI), the standard used for quantifying the value of an investment, doesn’t directly account for the benefits of cybersecurity measures.

Why ROI Doesn’t Cut It for Cybersecurity

We dive into more detail in our new paper, When ROI Falls Short, but here’s the net of it: the formula for calculating ROI requires a “revenue” or “net profit” value to get the result. Cybersecurity initiatives typically don’t directly generate revenue or a net profit. 

Instead, these initiatives act as a safeguard, preventing potential losses such as data breaches, business downtime, ransomware attacks, reputational damage, and loss of customer trust. As such, an ROI metric that considers profits gained but not losses avoided fails to adequately capture the true impact. 

Why Return on Mitigation (RoM) Over ROI

Security leaders need a metric that reflects the true value of cybersecurity, and ROI isn’t it. Return on mitigation (RoM) redefines how we calculate ROI for cybersecurity. Instead of focusing on net profit, RoM measures “mitigated losses”—the financial damage avoided through proactive security measures.

If you take a closer look, you’ll notice that the RoM formula is the same as ROI, except instead of "revenue," we use "mitigated loss":

By factoring mitigated losses instead of revenue, security leaders see a much clearer picture of the financial impact of their cybersecurity efforts on the bottom line—putting a dollar amount to the losses they’ve prevented.

You can see more detailed examples of how RoM is calculated in our ebook, using the cost of breach data, offensive security program results, and exploitation likelihood, or test it yourself with our light RoM calculator. 

The Call for RoM Standardization

For security leaders, adopting RoM bridges the gap between the theoretical value of cybersecurity testing and the reality of loss prevention. It empowers them to more accurately justify security budgets, communicate value to stakeholders, demonstrate quantifiable risk reduction, and prioritize their resources more effectively—all through a common financial language.

Now imagine if that common language was also common within an organization and across cybersecurity. The standardization of RoM would provide significant benefits to the entire security community. Establishing a common framework for calculating and communicating the financial impact of cybersecurity investments would enable organizations to make more informed decisions about their security strategies. 

When everyone can calculate loss prevention with the same metric, they can benchmark with peers and across industries and better evaluate vendors and solutions. Meanwhile, it also provides greater support for regulators and cyber insurers, who need clear, methodical financial loss data to design regulatory standards and assess the adequacy of cybersecurity investments. 

Conclusion

If you read my recent blog, you’ll remember my stance heading into this year: the fight against cyber threats will not be easy and we’re in this fight together. The standardization of RoM is just one practical way organizations can come together in cybersecurity; by implementing an effective, common method for measuring the value of cybersecurity investments, we’re one step closer to taking down cyber threats on a universal scale.

Cybersecurity initiatives provide financial value to organizations. Board members and non-security executives know this to be true. 

Facing the Reality: Cybersecurity’s Mounting Pressures

The cybersecurity landscape is evolving at an unprecedented pace. This past year, breaches resulting from exploited vulnerabilities grew 180%, and at HackerOne, we’ve seen a 12% jump in vulnerability reports across our customer programs. Attack surfaces continue to expand, with AI systems as the new frontier and increasingly interconnected systems. Threat actors are growing in number, and boldness and attack techniques increasing in sophistication. And, as the headlines remind us all too often, breaches are not just a possibility but a probability.

It's natural to feel hopeless in the face of these developments. But within these challenges lies an opportunity to build something stronger than ever before.

Finding Opportunity in Adversity

Every challenge we face brings with it a silver lining: an opportunity to innovate, collaborate, and grow stronger. Over the past year, we've witnessed the transformative power of resilience. Organizations are increasingly adopting proactive security measures and leveraging cutting-edge tools like AI to detect and respond to threats faster than ever before. At the same time, crowdsourced cybersecurity programs are gaining momentum, demonstrating greater adoption and effectiveness. In fact, more than one-quarter of valid vulnerabilities found through HackerOne programs are rated as critical or high severity. This highlights the value of collaboration with security researchers—helping organizations uncover and address vulnerabilities before they escalate into crises. 

This year, I encourage you to consider how these opportunities can apply to your organization. Where is there potential for you to be more proactive in your security strategy? Which solutions and partnerships offer the highest return in strengthening your security posture? And perhaps most importantly, how do you, as a leader, reframe adversity as a catalyst for progress?

The AI-Human Alliance in Cybersecurity

At the heart of modern cybersecurity strategies lies the powerful synergy between human ingenuity and cutting-edge technology. While tools like AI have revolutionized how we identify and address vulnerabilities, their effectiveness hinges on the expertise and guidance of the people behind them. Your teams—the analysts, engineers, and researchers working tirelessly to defend against threats—are, without a doubt, your greatest asset. Equally invaluable are your partners, whether they be vendors, security researchers, or other collaborators who bring diverse perspectives and specialized knowledge to the table.

This blend of AI-driven efficiency and human insight is essential for staying ahead of increasingly sophisticated adversaries. It empowers us to adapt, innovate, and uncover even the most elusive vulnerabilities before they become threats. With AI, we can process vast amounts of data at speeds that would be impossible for humans alone, spotting patterns and anomalies that might otherwise go unnoticed. However, it is human expertise that ensures these tools are applied strategically, interpreting complex data in context and making nuanced decisions that automated systems alone can't achieve. Together, they form an agile and responsive defense system capable of outpacing the evolving tactics of cybercriminals.

A prime example of this approach in action is Amazon and AWS, who have been leveraging this combination in their security program with HackerOne for over eight years. In that time, they’ve received over 9,000 valid reports and paid over $30 million in rewards and bonuses to 6,000 security researchers. Each report from a researcher helps Amazon raise the bar on security, providing unique perspectives on their entire landscape and uncovering vulnerabilities that might otherwise go unnoticed. This partnership exemplifies how human ingenuity, paired with the right platform, can transform how organizations tackle cybersecurity challenges. You can hear more in this short video. 

As you look to 2025, I encourage you to assess the talent and technology powering your charter. Build a culture that empowers your teams to leverage AI-powered capabilities while recognizing where human insight remains essential. Foster trust and resilience, and seek out new perspectives and partnerships. Sometimes the best solutions come from unexpected places.

Let’s Build a Resilient Future Together

In 2025, let’s shift the narrative. Instead of focusing on what we’re fighting against, let’s focus on what we’re building together: a more secure, more resilient digital world. Let’s embrace the tools and partnerships that empower us to stay ahead of threats. Let’s champion a mindset where security is seen not as a burden but as an enabler of innovation and trust.

At HackerOne, we’re committed to being your ally in this fight. We believe that no challenge is insurmountable when we work together and we’re here to support you every step of the way.

Closing Thoughts

To every CISO reading this: I see the challenges you face and the incredible work you do to overcome them. The road ahead won’t be easy, but we can navigate it together. You are not alone in this fight to build a safer internet. With the right mindset, tools, and partnerships, 2025 can be a year of meaningful progress for cybersecurity.

Here’s to a new year of resilience, innovation, and hope.

As we settle into 2025, I want to take a moment to reflect on the state of cybersecurity—not just as an industry but as a shared mission. For CISOs, the stakes have never been higher. Protecting your organizations against increasingly sophisticated adversaries, managing constrained budgets, and ensuring business continuity in an unpredictable world—it’s a daunting charter, and it can feel isolating. But I’m here to remind you: You are not alone.