The Competitive Advantage of Integrating ROSI Into Cybersecurity Strategies 

Cybersecurity is increasingly a global strategic priority for businesses. With the scale, frequency and complexity of threats ramping up, it is essential to invest in data protection and systems – and invest right. In Europe, a raft of regulatory requirements is adding to the pressure on companies to ramp up measures.

Ensuring an optimal balance between budgetary needs and a robust defense against such threats requires a clear understanding of Return on Security Investment (ROSI). In this article we will explore how businesses that effectively integrate ROSI into their security strategies can gain a significant competitive advantage while protecting their resources, aligning with the overall business vision and achieving regulatory compliance.

Cybersecurity in Europe: Regulation and strategy

In Europe, cybersecurity has become a critical focus for businesses, driven both by regulatory requirements and the increasing frequency of cyber threats.

In the six months through April 2024, Europe saw over 2.2 billion records breached in 556 publicly disclosed incidents_¹. The most affected sectors included healthcare, financial services and professional services. Breaches are also getting more expensive: the average cost of a data breach globally rose 10% to $4.88 million in 2024 from a year earlier_².

To address these risks, the European Union (EU) has introduced legislative measures such as the NIS 2 Directive, the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA) in recent years. These regulations aim to harmonize cybersecurity standards and ensure robust security frameworks are in place, particularly in critical sectors such as energy, transport, banking and healthcare.

European companies are responding to growing risks and regulatory requirements by increasing their cybersecurity budgets. The urgency of complying with newly introduced measures such as DORA, which came into effect in January, is leading to enhanced cybersecurity measures such as adopting security AI and automation, which can significantly reduce breach costs and improve response times. 

Despite these efforts, only 26% of Europe's top companies have achieved a high cybersecurity rating, indicating that there is still considerable room for improvement. The energy sector in particular has been identified as having low security ratings, with many companies receiving a C rating or below_³.

So how can companies ensure they are getting enough bang for their buck while allocating cybersecurity budgets? That is where ROSI comes in.

Calculating ROSI

ROSI is a crucial tool for assessing the effectiveness of cybersecurity investments. Unlike traditional ROI, which focuses on profits, ROSI measures how much an investment in security can reduce potential losses caused by cybersecurity incidents. In practice, it helps compare the cost of security solutions with the benefits gained from risk reduction.

ROSI can be calculated using various approaches, many of which were developed by academics and vendors. However, all of them define ROSI as a value derived from financial benefits relative to costs. Several approaches use concepts such as Annualized Loss Expectancy and Annualized Rate of Occurrence as part of the calculation.
It is essential that ROSI be evaluated by companies independent of technology vendors. These companies offer specialized tools and support to calculate ROSI accurately, providing detailed analysis and consulting. Independence ensures objective evaluations, ensuring that cybersecurity investments meet the organization’s needs and effectively protect business assets.

After initial support from experts, businesses can integrate ROSI calculation into their annual activities. This makes it a regular practice in strategic planning and budgeting processes, ensuring that, over the years, security investment decisions are based on up-to-date and relevant data.

Investor Perspective on ROSI

A focus on ROSI resonates with the broader investment community and particularly within private equity (PE), where capital allocation decisions are traditionally guided by Multiple of Money (MoM) - a measure of how much return is generated for every dollar invested.
 
However, an equally important yet often overlooked factor is the cost of inaction (the potential financial loss from failing to invest in critical areas such as cybersecurity). For PE investors, cybersecurity risk mitigation is an increasingly critical component of portfolio value protection. Rather than treating security investments as a mere expense, firms should embed them into their financial strategy, recognizing their role in preserving operational resilience and long-term returns. Waiting for a cyber incident with significant business impact to drive this mindset shift can be a costly mistake. Proactive action is essential to safeguarding asset value and maintaining investor confidence.

What drives ROSI usage?

Articles in industry journals_⁴ have made the concept of ROSI more visible, drawing the attention of security professionals. International cybersecurity associations have asked their member companies why they calculate ROSI. Here are the responses:
 

Improving ROSI calculation

One way to improve the calculation of ROSI is to adopt an approach based on assessing the exposure to risk of the company's business assets. This refers to key resources of a company that contribute to its value and operations, such as data, IT infrastructure and intellectual property.

By evaluating how these assets are exposed to cyber risks, companies can obtain a more accurate estimate of the potential financial impact of security incidents. This approach also facilitates discussion at the Board level, where it is crucial to understand how cybersecurity protects the overall value of the company. In this context, ROSI becomes a strategic tool to demonstrate how investments in security contribute to the protection and growth of the business.

Conclusion

Today, cybersecurity is not just an operational necessity but a key factor for long-term success. Investing in cybersecurity not only protects companies from new digital threats but can also improve their resilience and capacity to innovate in the digital landscape. Companies that effectively integrate ROSI into their security strategies can gain a significant competitive advantage, while also protecting their most valuable resources. It also ensures that each investment is financially sustainable and strategically aligned with the company’s vision and business mission.

How A&M can help

The Global Cyber Risk Services (GCRS®) offered by Alvarez & Marsal are designed to assist organizations in managing their cybersecurity needs. These services focus on helping boards and management teams understand their organization's cyber risk, develop and implement cyber resilience strategies and prepare for incident response. The approach is grounded in regulatory and industry frameworks, providing prioritized findings, recommendations and a roadmap for addressing gaps. The services include cybersecurity breach response, forensic investigations, gap remediation and program development, among others. A&M's team of cybersecurity experts uses advanced methodologies and tools to identify vulnerabilities and improve overall cyber resilience.


[1] Data Breaches and Cyber Attacks – Europe 2024 Report - IT Governance Blog En

[2] Global average cost of a data breach 2024 | Statista

[3] https://securityscorecard.com/research/europes-top-100-companies-cybersecurity-threat-report/

[4] https://www.securityforum.org/