More Spend, More Breaches: The Uncomfortable Truth About Cybersecurity ROI

Marks and Spencer projected hundreds of millions of pounds in profit last year. But in year-end reporting, they only made a tiny fraction of it.  

M&S profit evaporated because a ransomware attack took online sales offline for six weeks and disrupted logistics for months. The business bled out in real time while recovery efforts crawled forward.

That number became a throughline when I sat down with Andrew Rubin, Illumio CEO and founder, on a recent episode of The Segment podcast. It puts a concrete, undeniable figure on something the industry has been dancing around for years: for a decade straight, organizations have spent more on cybersecurity every year.  

They’ve bought more tools and allocated more budget. And the only numbers that have grown faster than the investment are the number of breaches, the size of those breaches, and the total economic cost of the destruction.

It’s the kind of pattern that should be generating hard questions in every boardroom. Yet most boards aren't asking them — at least not yet.

According to Andrew, the cybersecurity investment model is broken. Spending more on cyber has only made the breach problem more expensive.  

Until security leaders are willing to admit cybersecurity’s ROI problem, the cycle will continue. The gap between security spending and outcomes keeps widening, and we need a fundamentally different model.

ROI: data the cyber industry has quietly ignored

Andrew’s a self-described believer in math and data, and the math here is clear.

According to Gartner, worldwide information security spending reached $193 billion in 2024. It’s projected to hit $240 billion in 2026. IDC projects global security spending will reach $377 billion by 2028.

At the same time, the IBM Cost of a Data Breach report has recorded year-on-year increases in average breach costs for the better part of a decade.  

Cybersecurity spending is only increasing. Meanwhile, the number of reported breaches continues to climb. The economic impact of cyber incidents on the global economy is now measured in the trillions annually.

Andrew was careful to note that this doesn’t mean everything the industry is doing is wrong. Some controls work, and some investments are genuinely reducing the frequency or severity of incidents that would otherwise be worse.  

But if you’re a security leader presenting to a board, and a board member runs the numbers and asks why a decade of accelerating investment hasn’t bent the breach curve, you need a better answer than “it would be worse without it.”

In 2026, with regulators, insurers, and investors paying closer attention to security outcomes than ever before, time is running out.

Why the traditional security investment model is structurally broken

Andrew identified three possible responses to the spend-versus-outcomes gap:

• Throw out the entire model and start again, which he admitted is probably an overreaction
• Add new capabilities, recognizing that what worked in the past is still necessary but no longer sufficient
• Change the model itself, retiring approaches that are no longer relevant and building new ones in their place

His view — and mine — is that the answer is probably a combination of the second and third options.

But to do either of those things intelligently, you first have to be honest about why the current model isn’t working. There are three structural problems that are rarely named directly.

Problem 1: the industry has been measuring activity instead of outcomes

For most of the last decade, security programs have been evaluated on inputs:  

• How many tools are deployed
• How many alerts are generated
• How many vulnerabilities are patched
• How many training sessions have been completed

These are activity metrics. They tell you what the security function is doing, but they don’t tell you whether the organization is safer.

The reason this persists is partly inertia and partly that outcome metrics are harder to define and harder to defend.  

How do you prove that a breach didn't happen because of your program, versus because attackers chose a different target? You largely can’t. So the industry defaulted to measuring what it could measure rather than what actually mattered.

The result is a generation of security leaders who are very good at showing activity and much less practiced at showing impact. And when budgets are allocated based on activity metrics, you get more activity, not necessarily better outcomes.

Problem 2: the model is built around prevention

Andrew said that the cybersecurity model for the last 50 years has been predicated on stopping threats. The implicit promise of almost every security product ever sold is some version of “deploy this, and the bad thing won't happen.”

That model made some sense when the cost of missing a breach was lower and the frequency of sophisticated attacks was manageable.  

The cost of missing a breach today has increased dramatically. The M&S example is the clearest illustration available. The breach was the incident, but the months offline were the catastrophe.  

A security model built around stopping everything has no plan for when something gets through. In a threat environment where breaches are statistically inevitable, a plan for resilience can’t be an afterthought.

Problem 3: tool proliferation has created complexity without coverage

The average large enterprise now runs somewhere between 50 and 100 security tools. Each of those tools was purchased to address a specific gap.  

And yet the gaps keep growing.

More tools don’t equal better coverage when those tools aren’t integrated, the signals they generate can’t be correlated, and the teams operating them don’t have the capacity to act on every alert they produce.  

Tool proliferation has, in many cases, created the illusion of comprehensive coverage. In reality, it’s made the security environment harder to manage.  

Attackers adapted to find the seams between tools. Defenders were too busy managing tool sprawl to notice.

How to quantify security outcomes for the real world

The question Andrew gets most often from CISOs around demonstrating security value is the hardest one in the industry: how do you quantify something that didn’t happen?  

You can’t point to a breach that was prevented because you can’t prove it would’ve occurred. So how do you build a credible, quantitative case for security investment?

Andrew’s answer is to stop trying to quantify prevention and start quantifying resilience. Here are actionable steps to do that.

Measure the cost of incidents instead of the absence of them

When a security incident occurs, and in most organizations, some do, even if they don't reach breach severity, the data’s right there.  

• How long were systems down?  
• What was the direct cost of recovery?  
• What was the business impact of the downtime?  
• What was the regulatory exposure?  

These numbers are real, measurable, and can be projected forward.  

If your segmentation tool reduces the blast radius of an incident by 60%, that’s a quantifiable reduction in expected loss. If your detection and response capability cuts mean containment time from 48 hours to four, that’s a quantifiable reduction in business impact.

Use external benchmarks to anchor the conversation

Andrew cited M&S as exactly the kind of public, quantified example that boards understand.  

When a peer organization loses hundreds of millions because it was offline for months, that’s your benchmark. Show how your architecture would’ve turned months into hours, and you’ve got a business case no board can dismiss.  

Build a library of these examples. Boards respond to concrete, relatable precedents far more than to abstract risk frameworks.

Reframe the ROI conversation around expected loss reduction

The language of insurance is useful here, because boards already understand it.  

Every organization carries some expected annual loss from cyber incidents, an estimate based on breach probability, breach frequency, and average breach cost. Security investment should be evaluated against how much it reduces that expected annual loss, relative to its cost.  

It’s a more defensible framing than trying to prove a negative, and it forces a conversation about which controls actually move the needle on expected loss.  

Often, that conversation reveals that some of the largest line items in the security budget aren't the most effective ones.

The clock is running out on the old model

A decade of increasing spend has produced a decade of worsening outcomes.  

At some point, the people funding security programs are going to ask whether the model itself is the problem. And that moment’s arriving faster than most security leaders are prepared for.

CISOs who want to lead through this moment, rather than be led through it, need to do three things:

• Be honest about what the current model can and can’t deliver.
• Shift the measurement framework from activity to outcomes and from prevention metrics to resilience metrics.
• Rebuild the board conversation around expected loss reduction and demonstrable resilience, not tool counts and vulnerability closure rates.

None of that’s easy, but it’s a lot easier than explaining, after the fact, why the model failed.

Companies should expect their M&S moment at any time. The CISOs who already changed the conversation around security will be leading the response when it arrives.

Listen to the full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or our website.