Maximizing Security’s Value to the Business: Understanding ROSI

Security teams today operate in a challenging environment of rising and increasingly sophisticated threats, stringent compliance demands, and limited resources. To thrive, security leaders must focus on creating business-aligned value from their operations. In this edition, we delve into the concept of Return on Security Investment (ROSI) and explore how security teams can demonstrate measurable value to their organizations. Our conversation with Marc Moris, Group Prevention & Protection Lead at Proximus Group, reveals essential insights into aligning security with business objectives to optimize investment returns.

Strategic Alignment: Elevating Security’s Role in Business Value

Security should not operate in isolation; to drive value, it must align with and actively support broader organizational goals. Marc highlights the importance of viewing security not as a stand-alone function but as a contributor to operational efficiency and strategic growth.

"To be truly effective, security must align with the business objectives. It’s about using resources where they bring the most value, proactively anticipating threats, and avoiding disruptions. Security must integrate seamlessly with business operations, not become an operational burden that complicates workflows," says Marc.

Aligning security efforts with strategic business objectives (SBOs) helps ensure that investments contribute meaningfully to organizational goals—whether financial, operational, or reputational. Integrated into Enterprise Risk Management (ERM), security efforts reinforces the company’s resilience and agility.

?

Building Trust and Embracing Accountability

Earning executive trust goes beyond technical expertise; it requires demonstrating security’s value in business-oriented terms and accepting accountability. As Marc warns, “Taking responsibility towards business outcomes also means that security teams share accountability if something goes wrong.” This accountability underscores the need for security professionals to deliver dependable results and consistent alignment with the organization's mission.

Visual tools, like risk matrices and bowtie diagrams, play a vital role in demystifying complex risk scenarios, making them accessible to non-specialist stakeholders. Regular interaction with other departments - from finance to operations - strengthen security’s business case and ensures it aligns with organizational priorities.

Beyond Loss Prevention: Strategic Opportunities for Security

Traditional security programs often focus on loss prevention, an essential but limited approach that can overlook broader, strategic opportunities. Focusing on resilience, efficiency, and innovation, security leaders can multiply the impact of their function.

“Identifying and leveraging synergies can add significant value. For example, physical security and safety share common goals like minimizing risks to assets and people. By integrating these functions, organizations can streamline resources, improve data utilization, and strengthen overall resilience”, Marc explains.

This alignment enables security teams to contribute more effectively to broader organizational objectives, multiplying the value security brings.

To fulfil this broader role effectively, a security manager must adopt a strategic mindset grounded in comprehensive threat analyses and risk analyses. These analyses serve as critical input channels, providing the foundational data and insights to ensure protection while also uncovering business opportunities.

Measuring Security’s Value with ROSI: A Practical Framework

Understanding the value that security brings to a business necessitates looking beyond the traditional perspective of “negative risk”. The true value of security is also determined by how cost-effective and efficient these measures are, and how they contribute to overall business performance.

Essentially, security’s value is the measurable net contribution of security initiatives to an organization’s objectives.

The ROSI formula, (Benefit ? Cost of Security Measures) ÷ Cost of Security Measures, offers a concrete means of calculating security’s financial impact.

For example, a security control costing €50,000 annually that mitigates potential losses of €200,000 provides clear justification for investment, revealing security not just as an expense but as a value generator.

This approach enables security leaders to prioritize initiatives based on effectiveness, helping allocate resources where they deliver the highest returns. Striking the right balance between underinvestment, which leaves vulnerabilities, and overinvestment, which leads to diminishing returns, is critical.

A Real-World Use Case: Enhancing Security with Drones and Personnel

Rising incidents of unauthorized access, theft, and vandalism were significantly impacting a large manufacturing facility, posing risks to both assets and employee safety. Security breaches were escalating with potential annual losses estimated at €200,000. Traditional security measures, including on-foot patrols and CCTV, proved insufficient to effectively cover the vast premises. Using ROSI as a framework, they explored three security solutions:

1. Drones: Cost-effective for aerial surveillance but limited at ground level or in adverse weather conditions. Total cost per year: 40.000€
2. On-Site Personnel: Limited mobility compared with drones, but better engagement potential for active intruder deterrence and investigation of alarms. Cost per year for additional personnel: 60.000€
3. Hybrid Solution (Drones + Personnel): Combining strengths to maximize coverage and response. Cost per year 70.000€

Calculating ROSI

Given, an inherent Annual Loss Expectancy (ALE) of € 200 000

Solution 1 and Solution 2 yield identical ROSI values of 150%, while Solution 3 offers the highest ROSI at 157%, as well as the most effective risk reduction.

Drones alone are the lowest-cost option but leave a larger residual risk, potentially exceeding the organization’s risk appetite (tolerance).

Personnel alone, though more costly, achieves higher risk reduction and a suitable balance of effectiveness against expense.

The hybrid approach combines the strengths of drones and personnel, offering the highest ROSI and 90% risk mitigation. Although slightly higher in cost than drones alone, it substantially improves security effectiveness, reducing losses by €180,000.

After evaluating each option with the ROSI framework, the hybrid approach yielded the highest return, balancing cost and risk reduction most effectively.

?

Key Considerations for Effective Security Investment:

1. Balancing Quantification with Strategic Alignment: Exact metrics or cost measurements don’t make or break your business case. Small variations in detection probability (e.g., 85% vs. 82%) are unlikely to impact strategic decisions significantly. What really matters to decision-makers is how your security efforts line up with key business goals like keeping operations running, protecting revenue, and reducing legal risks. To back up your estimates and ensure your investments truly address security needs, it’s essential to have reliable assessments led by experts with clear and unbiased explanations. Consistency is also important so you can make meaningful comparisons.
2. Consider Tangible and Intangible Impacts: Quantify both direct savings and broader impacts on brand reputation, stakeholder trust, and customer confidence. For example, estimate the cost of a reputational hit by calculating potential expenses, like extra marketing needed after negative media coverage.
3. Know Your Budget and Risk Appetite: Lower-cost options may offer similar returns on security investment (ROSI) but can leave vulnerabilities. High-cost solutions provide better coverage but may strain budgets or suit only highly risk-averse organizations.
4. Adapt to Changing Needs: Security evolves rapidly. Solutions must be flexible enough to adjust to new threats and adapt as the organization grows.

Adopting a phased approach—such as launching a pilot program to test a small-scale drone surveillance system—allows you to gather empirical data and demonstrate the solution’s effectiveness. This step-by-step validation provides concrete evidence to support a larger rollout, ensuring that the security measures are both effective and aligned with organizational objectives.

?

Leveraging Pronect for Business-Aligned Security Value

Pronect helps security teams achieve cost-effective, value-driven security management. The platform’s ROSI simulation capabilities enable comparisons of different control strategies, allowing security teams to balance costs with performance and resilience. By consolidating data from multiple sources - such as threat intelligence, incident logs, and security audits - Pronect provides a centralized view of security risks and performance, informing security design. With clear decision trails and management reports, Pronect enables security teams to effectively tell their story and communicate with business stakeholders.

By consistently aligning security investments with business goals and using ROSI to measure and communicate their value, security leaders can build trust and ensure that their work contributes not just to security but to the organization's long-term success.

?

Many thanks to Marc Moris, Group Prevention & Protection Lead at Proximus group, for his contribution to this article.