Cyber security doesn’t generate revenue – that is of course until it stops you from losing millions.
But CISOs and their cyber security teams face a constant challenge of proving ROI in their cyber security investments.
However, recently we discovered a great calculation that could start changing that – just as long as the numbers and the reasoning stack up.
Cyber Security News delved into this topic to start to be able to review what ROI cyber security teams could expect from their investments; that way the simple calculation could start to provide some really valuable context when trying to convince boards of, not only the high level operational value of cyber tools, but the real tangible return they are going to receive.
The Cyber Security calculation formula is simple:
ROSI = ([ALE x mitigation ratio] – cost of solution) / cost of solution
Shhhh we worked ours out for CCM and it was an eyewatering 1,187%. (You won’t believe us until we show you…but there’s lots to dive into which we will in other blogs in the series).
The ROI Problem in Cyber security
Traditional ROI models are built for revenue-generating investments: spend X, earn Y. But cybersecurity doesn’t work that way. It’s not about creating income, it’s about preventing catastrophic loss. And that makes return-on-investment harder to quantify, even when the value is immense.
For CISOs and security leaders this creates a constant challenge: how do you prove the value of something when success often means nothing happens? Boards want numbers. They want justification. But most security metrics speak in technical language – vulnerabilities, patch rates or compliance scores – rather than financial impact.
And while compliance may tick boxes, it doesn’t equate to real protection. Being compliant doesn’t mean you’re secure. It just means you’ve passed an audit at a point in time. Today’s threat landscape demands more than that – it demands proof that your controls are actively working to reduce risk.
That’s where traditional ROI models fall short. They don’t reflect the financial avoidance of ransomware payouts, DDoS disruption or reputational damage. And they certainly don’t help CISOs make the business case for investment.
Until now.
Continuous Controls Monitoring: The Game-Changer
Here’s what CCM is in a nutshell:
- A live view of your risk posture – continuously validates whether your security, IT and compliance controls are actually working.
- Automates evidence collection – replaces manual checks with real-time monitoring across all frameworks and assets.
- Gives you instant assurance – no more waiting for audits or pen tests to find gaps.
- Drives measurable threat reduction – turns control data into actionable insights that reduce exposure.
- Goes beyond dashboards – this isn’t about visualising risk, it’s about actively reducing it.
- Integrates across silos – pulls from any data source to build a unified, real-time view.
- Multiplies ROI across teams – helps Security, IT, Compliance and Risk functions do more with less.
- Makes you audit-ready, always – prove every control, every day – not just during audits.
Continuous Controls Monitoring – You don’t just monitor controls, you quantify the impact.
Let’s put some numbers behind the value.
Continuous Controls Monitoring (CCM) is still seen by some as an emerging technology – “too new” to measure in terms of return on investment. But that perception is out of date.
Using the industry-standard formula highlighted by Cybersecurity News, we can now clearly calculate the financial impact CCM delivers:
ROSI = ((ALE × mitigation %) – cost of solution) / cost of solution
Where:
- ALE (Annual Loss Expectancy) quantifies how much an incident could cost your business each year.
- The mitigation percentage represents how much risk is reduced by the solution.
- The cost of solution is your investment in CCM.
This approach shifts cyber security conversations from “what if” to “how much risk are we avoiding – and what’s the ROI?”
For once, security leaders can move beyond theoretical value and show the board exactly what’s at stake in financial terms.
Let’s look at QO’s Metrics
Gary Penolver, our founder and CTO, stated; “Customers running CCM detect and remediate failed controls 5x faster, with a 60%+ reduction in high-risk control gaps within 90 days.”
Across industries, organisations stand to avoid over $1.28M in cyber risk annually but based on an investment in CCM, delivering a 1,187% return on security investment.
Here’s how we looked at it..
P (probability) = 0.594
L (average loss) = $3.61M
Mitigation (CCM impact) = 60%
This is how we worked it out:
Step 1 – Work out the average cost of ransomware
We first averaged the cost of ransomware from 3 sources and were able to calculate that the average cost of ransomware across 8 core industries as $3.61M.
Step 2 – Average Probability (P) of Ransomware
We then looked across those industries at the probability of ransomware, sourced from Sophos, giving an average probability (P) of 0.594.
Step 3: ALE (Annualised Loss Expectancy)
ALE = P × L = 0.594 × 3.61M = $2.144M
Step 4: Risk Avoided with CCM (60% Mitigation)
CCM Risk Avoidance = ALE × 60% = $2.144M × 0.60 = $1.287M
Final Summary (Across Industries)
- Expected Annual Loss (ALE) = $2.144M
- CCM Risk Avoided (60%) = $1.287M
- CCM Cost = $100K
- ROSI = ((1.287M – 100K)/100K) x 100 = 1,187(%)
CCM costs vary and they are dependant on size of business. This is based on the assumption that this is an enterprise level business
The Hidden ROI: Beyond Cost Avoidance
While the obvious ROI of CCM lies in avoiding costly breaches, its hidden value runs much deeper. Continuous Controls Monitoring drastically reduces the time, effort and resources required to maintain audit readiness – transforming painful, manual compliance cycles into real-time, automated assurance.
It cuts compliance overhead by eliminating repetitive control testing and evidence collection. Beyond internal efficiencies, CCM also improves vendor accountability by continuously tracking third-party controls, making supply chain risk more transparent and actionable. And perhaps most critically, it enables proactive risk mitigation – so when something fails, you catch it faster, respond quicker and limit the blast radius. These operational gains add up fast, and they’re just as critical to business resilience as avoiding direct losses.
On average our customers see:
- 76% reduction in overall costs
- 53% more vulnerabilities detected
- On average a1k more devices discovered
- 3x greater visibility across their entire ecosystem
- On average £6 million saved on controls testing
CCM doesn’t just monitor controls, it reveals hidden assets, uncovers risks and drives massive cost savings.
The Boardroom Conversation
- ROI gives CISOs a new language: dollars, not just vulnerabilities
- Move from reactive to strategic
- Shift perception: Security as a business enabler
“Ready to turn your controls data into a business case? Here’s how Quod Orbis can help.”
Sources of data:
Source: Sophos “The State of Ransomware 2024”
https://assets.sophos.com/X24WTUEQ/at/6n6ntcbcqtrtcqr2z8nww8/sophos-state-of-ransomware-2024-wp.pdf
https://www.ibm.com/reports/data-breach
Verizon DBIR 2024 (or 2023 if newer not yet available)
ENISA Threat Landscape
- Coveware – Ransomware Quarterly Reports
- Tracks actual enterprise ransomware payments and costs.
- Q1 2020 reported average enterprise ransom payments around $111,605, and Q2 2024 reported $391,015 average demand com+6coveware.com+6info.zscaler.com+6.
- These reports are widely cited by Zscaler’s ThreatLabz and other industry analystszscaler.com.
- Bank of America / BofA Securities
