We’re Spending More on Security – So Why Does it Still Feel Broken?

More Money, More Tools…More Confusion?

Some security leaders argue that trying to prove security effectiveness is like trying to prove ROI on fire insurance. Others point to “Security Theater,” asserting that certain controls are more of a comfort blanket than real protection. As one commentator put it:

Any chief information officer who assembled a portfolio of 130 discrete products to address a single problem would probably be accused of mismanagement. But when the problem is cybersecurity, they’re more likely to be seen as prudent.”

However you slice it, fragmented solutions come at a clear cost, financially and operationally:

• EY estimates that only 10–20% of cybersecurity technology is actively utilized.
• Forrester reports that enterprises waste approximately 30% of their security budgets on redundant or underused tools.
• According to PwC’s Global Digital Trust Insights Survey 2024, 61% of CISOs say they’re under pressure to cut costs while maintaining effectiveness.
• Gartner found that 62% of cybersecurity leaders have experienced burnout at least once; 44% have experienced it multiple times.
• IDC reports that 50% of developers spend 19% of their weekly time on security tasks.

In this environment, auditing your existing tools helps justify investment, not just by cutting wasteful spending, but by reducing the time and effort security teams spend managing them.

Step 1: Identify Which Tools You Actually Need

Start by measuring how well each tool mitigates the real-world threats your organization faces. Identify and eliminate redundancies by comparing overlapping capabilities and performance. Now you can remove dead weight without compromising protection.

Step 2: Cut Redundant Spending Without Compromising Security

Use the data from step one to justify reallocating budget and optimizing existing investments. These insights can reduce licensing and maintenance costs while keeping your security posture intact, and help you clearly connect investment to business outcomes.

Step 3: Gain Insight Into Overall Efficiency

Map tools against your threat context to reveal coverage gaps and performance weak spots. For maximum impact, focus on high-value security activities that align closely with business risk.

From Waste to Risk: How Too Many Tools Lead to Security Debt

Identifying redundant or underutilized tools is just the start. Often, these underperforming assets create hidden vulnerabilities, cybersecurity debt, that quietly accumulate until a crisis forces you to pay up.
When teams rely on tools they don’t fully understand, configure, or maintain, it creates blind spots that compound over time. Understanding how tool inefficiencies contribute to security debt makes the case for proactive tool management, not only to reduce spend, but to reduce long-term risk.

Getting Out of Debt

“How did you go bankrupt?” Bill asked. “Two ways,” Mike said. “Gradually and then suddenly. “What brought it on?” “Tools Friends,” said Mike. “I had a lot of tools friends.”

Ernest Hemingway wasn’t talking about security debt in The Sun Also Rises, but he could have been (maybe).

Just like financial and technical debt, security debt compounds. Every postponed update, skipped security review, “we’ll-fix-it-later” issue, or obscure tool ticking away in the background adds to the problem. It’s like unpaid loans no one’s tracking, until something breaks and the bill comes due.

Worse, the interest on this kind of debt isn’t just financial, it’s regulatory, reputational, and operational. And it’s hard to measure because its impact depends on your specific threat landscape, compliance requirements, and resource constraints.

But here’s the good news: addressing cybersecurity debt isn’t just damage control, it’s an essential step toward building a more measurable, resilient, and cost-effective security program.

Safety in Numbers: Calculating ROI to Reduce Security Debt

So how do you actually quantify the value of reducing security debt, and demonstrate that your cybersecurity program is delivering ROI?

In CISOs Investigate: Cybersecurity Debt, security expert Neda Pitt shared her approach. Here are some of the methods she shared:

Return on Security Investment (ROSI)

Formula:
ROSI = (Monetary Value of Risk Reduction – Cost of Security Investment) ÷ Cost of Security Investment × 100%

The value of risk reduction is based on projected financial loss from cyber threats if no security measures were in place.

Annual Loss Expectancy (ALE)

Formula:
ALE = Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO)

This estimates the financial impact of one incident, multiplied by how often such incidents occur annually.

Cost-Benefit Analysis (CBA)

Formula:
CBA = Total Benefits – Total Costs

This includes avoided losses, increased efficiencies, and reduced downtime.

When security teams embrace these calculations, they gain the tools to connect security strategy with business value, demonstrating not just how much they’re spending, but why it matters.

Use What You Have. Secure What Matters.

For security teams, proving ROI isn’t just a reporting requirement, it’s a strategic imperative. When you can quantify risk reduction, demonstrate the effectiveness of proactive controls, and show how tool optimization contributes to business outcomes, you shift cybersecurity from a cost center to a value driver.

Nagomi automates the process of proving your security is actually working. Our platform unifies data across your assets, defenses, and threats, clearly showing that your security program is both efficient and effective. With visibility, alignment, and measurable results, you can finally do more than manage security. You can lead it.

Nagomi: The only Proactive Defense Platform that turns cybersecurity from a fragmented burden into a strategic advantage, leveraging the tools you already have.