TL;DR: Cybersecurity spending reached $193 billion in 2024 and is projected to hit $240 billion in 2026, while breach costs and incident impact continue to rise, according to Gartner, IDC, and IBM. The industry’s measurement model is failing because it tracks activity and prevention promises, not resilience and expected loss reduction.
At a glance
What this is: This analysis argues that cybersecurity ROI is being judged by the wrong metrics, with rising spend failing to bend the breach curve.
Why it matters: For IAM, NHI, PAM, and broader security teams, the lesson is that controls must be measured by blast-radius reduction, containment speed, and loss avoided, not by tool counts or activity alone.
By the numbers:
- worldwide information security spending reached $193 billion in 2024.
- It’s projected to hit $240 billion in 2026.
- IDC projects global security spending will reach $377 billion by 2028.
👉 Read Illumio's analysis of cybersecurity ROI and breach outcomes
Context
Cybersecurity programs are often judged by the volume of tools, alerts, and remediation activity they produce, even when those measures do not show whether loss is actually being reduced. The primary keyword here is cybersecurity ROI, and the article’s central claim is that the industry has optimized for inputs while the cost of breaches keeps rising.
That matters to identity practitioners because access control, privilege management, and secrets governance are only defensible when they reduce real-world blast radius and recovery cost. In environments with NHIs, service accounts, and delegated access, the question is no longer how much security activity exists, but whether it changes the outcome when an attacker gets in.
Key questions
Q: How should security teams measure cybersecurity ROI in a way boards will trust?
A: Use outcome-based measures that connect security controls to reduced loss. The most defensible metrics are containment time, downtime avoided, recovery cost, and expected annual loss reduction. Activity counts are still useful operationally, but they should not be the basis for investment decisions because they do not show whether the organisation is actually safer.
Q: Why do identity controls matter to cybersecurity ROI?
A: Identity controls determine how far an attacker can move after the first compromise. Least privilege, privileged access management, and secrets governance reduce blast radius, which lowers downtime and recovery cost. In ROI terms, identity is not just an access layer. It is a loss-containment layer, especially when NHIs and service accounts are involved.
Q: What do security teams get wrong about tool proliferation?
A: They often assume more tools equal better protection. In practice, overlapping platforms can create fragmented telemetry, delayed response, and control gaps between teams. If the environment cannot correlate identity, access, and incident data quickly, attackers exploit the seams. The right question is whether each tool measurably improves containment, not whether it adds coverage on paper.
Q: Who is accountable when cybersecurity investment does not reduce breach impact?
A: Accountability sits with the security leadership team and the board if reporting only tracks activity instead of risk reduction. Governance frameworks expect leaders to demonstrate that controls are effective, not merely deployed. If spending rises while expected loss stays flat, the reporting model and the control strategy both need review.
Technical breakdown
Why activity metrics fail to prove cybersecurity ROI
Security programs often report on what is easiest to count, such as tools deployed, alerts generated, vulnerabilities patched, and training completed. Those figures describe operational output, but they do not establish whether the organisation is safer or losses are lower. The problem is structural: prevention outcomes are hard to prove because you cannot observe the breach that did not happen. That pushes boards and leaders toward proxy measures that can hide stagnation. Practical implication: replace activity dashboards with outcome metrics tied to containment time, expected loss, and business impact.
Practical implication: Measure control value by reduced loss and faster containment, not by activity volume.
How resilience changes the cybersecurity ROI model
A resilience model accepts that some attacks will succeed and focuses on reducing the damage they can do. This shifts the investment question from absolute prevention to blast-radius control, recovery speed, and expected annual loss reduction. That framing is especially relevant where identity controls govern reach, such as privileged access, service accounts, and secrets. In those environments, one compromised credential should not be able to turn a local incident into an enterprise outage. Practical implication: quantify how specific controls shorten dwell time, limit propagation, and cut downtime.
Practical implication: Use loss reduction and containment performance as the investment case for identity and security controls.
Why tool proliferation weakens coverage and confidence
Enterprises now run dozens of security tools, often purchased to close distinct gaps. In practice, more tools can create more complexity if signals are fragmented, workflows are disconnected, and teams cannot act at speed. Attackers exploit the seams between platforms and the blind spots created by integration debt. For IAM and NHI governance, this matters because fragmented ownership often leaves privileged access, tokens, and service accounts outside a clear control boundary. Practical implication: map control ownership and telemetry paths before buying more tooling.
Practical implication: Reduce control fragmentation before adding another point solution.
Threat narrative
Attacker objective: The attacker aims to turn a single compromise into measurable business disruption by increasing downtime, recovery cost, and organisational loss.
- Entry occurs when an attacker reaches the environment through a breach path that existing prevention controls did not stop, such as compromised credentials or a successful intrusion.
- Escalation follows when the attacker uses fragmented controls and weak segmentation to move beyond the initial foothold and expand access.
- Impact emerges when the attacker can disrupt operations, extend downtime, or increase recovery cost because containment and resilience controls were insufficient.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Cybersecurity ROI is being mismeasured because organisations still reward activity instead of resilience. Tool counts, patch counts, and training counts can all improve while business exposure remains unchanged. The article is right to push the conversation toward outcomes, but the deeper issue is that many governance models still lack a credible loss-based yardstick. Practitioners should treat outcome measurement as a control objective, not a reporting preference.
Blast-radius control is the more honest security metric for modern identity programmes. In IAM, PAM, and NHI governance, the question is not whether access can be perfectly prevented, but whether compromise can be contained before it becomes enterprise-wide impact. That makes segmentation, least privilege, and access scoping measurable in terms of business continuity, not abstract compliance. Practitioners should reframe identity investment around containment performance.
Tool proliferation creates security debt when identity signals cannot be correlated fast enough to matter. Many environments have separate controls for authentication, privileged access, secrets, logging, and response, but no unified operational view. That fragmentation is where attackers hide, especially when NHIs and service accounts fall between teams. Detection-response latency: the delay between compromise and meaningful containment is now a board-level risk, not just an operational nuisance. Practitioners should reduce telemetry gaps across identity and security stacks.
This argument also exposes a governance gap in board reporting. Boards are often shown spend, coverage, and activity, but not the expected loss avoided by specific controls. That weakens accountability for identity-led risk reduction and makes it hard to prioritise high-value controls over visible but low-impact work. Practitioners should build reporting that ties identity and security investments to expected annual loss reduction.
For NHIs, the ROI problem is sharper because machine access scales faster than human oversight. Service accounts, tokens, API keys, and workload identities can spread privilege across many systems without the visibility boards assume exists. That makes standing access and stale credentials especially expensive when breaches occur. Practitioners should make NHI containment a first-class resilience metric.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting partial visibility.
- For a broader governance lens: Review Top 10 NHI Issues to connect identity visibility gaps to the control failures that drive avoidable business loss.
What this signals
Cybersecurity ROI will keep deteriorating as long as programmes are measured by throughput instead of containment. For identity teams, that means the real budget conversation is shifting toward how quickly access can be narrowed, evidence can be correlated, and loss can be stopped once compromise occurs. The organisations that can show measurable blast-radius reduction will be better positioned to defend spend.
Detection-response latency is becoming the practical metric that links identity, SOC, and resilience work. When privileged access, secrets, and workload identities are visible end to end, leaders can argue for controls that shorten the time between compromise and containment. That is where board-level trust is won, because it connects security operations to operational continuity.
Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security, which is why NHI governance now has to be treated as a resilience issue, not a niche identity problem. The programmes that can prove access reduction, rotation discipline, and ownership clarity will be the ones that can show measurable value when the next incident hits.
For practitioners
- Replace activity dashboards with outcome metrics Track containment time, business downtime, recovery cost, and expected loss reduction alongside standard security operations metrics. Use those figures in board reporting so the security programme is judged on impact, not just effort.
- Quantify blast radius for identity-controlled access paths Measure how far an attacker could move if a privileged account, service account, or token were compromised. Use segmentation tests and access path reviews to show whether identity controls actually limit propagation.
- Rationalise overlapping tools and ownership gaps Map which platforms own authentication, privileged access, secrets, logging, and response before approving additional tooling. If identity telemetry is fragmented, close the integration gap first because that is where loss compounds.
- Anchor budget requests to expected loss reduction Frame each control purchase as a reduction in probable business loss, not as a generic security enhancement. That lets finance, risk, and security teams compare competing investments using the same metric.
Key takeaways
- Cybersecurity ROI is weakening because most programmes still measure activity more easily than they measure loss avoided.
- Identity controls matter to ROI because they determine whether a compromise becomes a local incident or a broad operational outage.
- Boards need reporting that links security spend to containment speed, blast-radius reduction, and expected annual loss reduction.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.IP-4 | The article focuses on outcome-driven protection and resilience measurement. |
| NIST SP 800-53 Rev 5 | AU-6 | The post argues for evidence-based reporting rather than activity counts. |
| CIS Controls v8 | CIS-8 , Audit Log Management | Log correlation and actionable telemetry are central to the tool sprawl problem. |
| ISO/IEC 27001:2022 | A.5.29 | The discussion centres on resilience, business continuity, and recovery from incidents. |
Use audit review and analysis to show whether controls reduced loss and containment time.
Key terms
- Cybersecurity ROI: The return an organisation gets from security spending, measured by reduced loss, faster recovery, or lower operational disruption. In practice, it should be judged by outcomes, not by how many tools were bought or how many tasks were completed.
- Blast Radius: The amount of damage an attacker can cause after gaining a foothold. In identity-heavy environments, blast radius is shaped by privilege scope, segmentation, and the reach of credentials, tokens, and service accounts across systems.
- Expected Annual Loss: A financial estimate of likely cyber loss over a year, based on probability, frequency, and average incident cost. It is useful because it turns security decisions into comparable business outcomes instead of abstract risk statements.
- Detection-response latency: The time between compromise and effective containment. Shorter latency usually means lower business impact because attackers have less time to move, exfiltrate, or disrupt systems before controls begin to work.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- How the expected loss reduction model is built for board reporting and budget justification
- The incident-cost framework used to translate downtime, recovery, and regulatory exposure into finance terms
- Examples of how segmentation and containment assumptions change the business case for cyber investment
- The podcast context behind the argument, including the specific leadership discussion that shaped the article
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and access lifecycle control. It is designed for practitioners who need to connect identity decisions to measurable security outcomes.
Published by the NHIMG editorial team on 2026-05-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org