TL;DR: Cybersecurity spending reached $193 billion in 2024 and is projected to hit $240 billion in 2026, while breach costs and incident impact continue to rise, according to Gartner, IDC, and IBM. The industry’s measurement model is failing because it tracks activity and prevention promises, not resilience and expected loss reduction.
NHIMG editorial — based on content published by Illumio: More Spend, More Breaches: The Uncomfortable Truth About Cybersecurity ROI
By the numbers:
- worldwide information security spending reached $193 billion in 2024.
- It’s projected to hit $240 billion in 2026.
- IDC projects global security spending will reach $377 billion by 2028.
Questions worth separating out
Q: How should security teams measure cybersecurity ROI in a way boards will trust?
A: Use outcome-based measures that connect security controls to reduced loss.
Q: Why do identity controls matter to cybersecurity ROI?
A: Identity controls determine how far an attacker can move after the first compromise.
Q: What do security teams get wrong about tool proliferation?
A: They often assume more tools equal better protection.
Practitioner guidance
- Replace activity dashboards with outcome metrics Track containment time, business downtime, recovery cost, and expected loss reduction alongside standard security operations metrics.
- Quantify blast radius for identity-controlled access paths Measure how far an attacker could move if a privileged account, service account, or token were compromised.
- Rationalise overlapping tools and ownership gaps Map which platforms own authentication, privileged access, secrets, logging, and response before approving additional tooling.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- How the expected loss reduction model is built for board reporting and budget justification
- The incident-cost framework used to translate downtime, recovery, and regulatory exposure into finance terms
- Examples of how segmentation and containment assumptions change the business case for cyber investment
- The podcast context behind the argument, including the specific leadership discussion that shaped the article
👉 Read Illumio's analysis of cybersecurity ROI and breach outcomes →
Cybersecurity ROI and breach costs: what boards are missing?
Explore further
Cybersecurity ROI is being mismeasured because organisations still reward activity instead of resilience. Tool counts, patch counts, and training counts can all improve while business exposure remains unchanged. The article is right to push the conversation toward outcomes, but the deeper issue is that many governance models still lack a credible loss-based yardstick. Practitioners should treat outcome measurement as a control objective, not a reporting preference.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting partial visibility.
A question worth separating out:
Q: Who is accountable when cybersecurity investment does not reduce breach impact?
A: Accountability sits with the security leadership team and the board if reporting only tracks activity instead of risk reduction. Governance frameworks expect leaders to demonstrate that controls are effective, not merely deployed. If spending rises while expected loss stays flat, the reporting model and the control strategy both need review.
👉 Read our full editorial: Cybersecurity ROI is broken as spend rises and breaches worsen