All Posts
Tool Sprawl
5 min read

A New Way to Think About Security ROI

Published on
March 25, 2025
Security Per Dollar - Tuskira

TL;DR

“Security Per Dollar” is a concept we came across via Ross Haleliuk, and it’s got us thinking. It’s not just about how much you’re spending on security, but how much validated risk you’re actually reducing. In this post, we walk through how we’re starting to explore that idea: using breach loss exposure to connect risk reduction to budget, and maybe giving security teams (and their boards) a better way to measure what’s working.

_____________________________________________

Security budgets aren’t going up. Threats are. And the board still wants answers.

We’ve been thinking about how to explain value in security without defaulting to vague terms. We weren't too successful, then we came across a great LinkedIn post by Ross Haleliuk, who framed a concept we hadn’t really put a name to before: Security Per Dollar.

We’re still kicking it around, but it clicked for us, not as a perfect formula, but as a much better way to think about security ROI. Less about how many tools you have, more about how the tools are working and what’s actually being prevented. So this post is us exploring the idea in real terms, testing a way to calculate it, and thinking about what it might unlock for security leaders trying to tie outcomes to spend.

I may not be interpreting exactly as he intended, but to us, this isn't about spending for spending's sake. Security Per Dollar seems more about validated risk reduction per dollar invested. And when dealing with flat budgets and increasing expectations, Ross is absolutely right that it’s a smarter, sharper way to measure effectiveness.

It starts by understanding your breach loss exposure, which is the estimated financial impact if a breach were to occur, based on your current vulnerabilities, controls, and environment. This will be used as a proxy for “Validated Risk Reduction.”  From there, you can start connecting that risk to the dollars you're spending to reduce it.

Why Security Per Dollar Matters

Security Per Dollar forces a new mindset. Instead of justifying spending based on coverage, it shifts the conversation to outcomes:

  • Are we reducing exploitable risk?
  • Are our tools working together or working against each other?
  • Are we getting full value from our controls, people, and processes?

If the answer is no, then you’re not getting the security you're paying for.

An Example Working Formula:

Security Per Dollar = Validated Risk Reduction (Breach Loss Exposure) / Total Cost of Security Operations

Let’s say you're the CISO at a mid-size enterprise. You’ve spent the last year investing in detection tools, endpoint protection, vulnerability management, and staff. Now, leadership wants to understand ROI.

Using AI-Powered Defense Optimization, you simulate attack paths, validate tool effectiveness, and generate real data:

  • High-risk exploitable paths reduced from 120 to 45
  • % of tools with validated controls improved from 40% to 85%
  • Risk exposure (FAIR-calculated potential loss) drops from $10M to $3M

That’s a $7M validated risk reduction (Breach Loss Exposure). Your annual cost of security operations? $6.5M.

Security Per Dollar = $7M / $6.5M = 1.08

"For every $1 we spent on security, we reduced $1.08 in validated risk."

That’s positive ROI. But this number is just the beginning.

Some tools delivered 3x the value per dollar. Others provided no measurable impact. Using AI, you can optimize the performance of your existing security tools and ultimately increase their Security Per Dollar ratio.

First, let’s figure out how we calculated “Breach Loss Exposure,’ which admittedly is not an exact science:

Example Breach Loss Exposure Estimation

Step 1: Inventory Critical Assets
Step 2: Estimate Likelihood of Exploitation

Based on threat intel, vulnerability exposure, and control gaps.

Step 3: Estimate Breach Impact
Step 4: Calculate Breach Loss Exposure

Breach Loss Exposure = Likelihood × Impact = 10% × $5,000,000 = $500,000 (Annualized Expected Loss)

Clarification: We use total potential loss ($5M) for Security Per Dollar calculations because it aligns with how boards and finance teams evaluate risk. But we also estimate expected loss ($500K) for forecasting and insurance modeling.

Or for Security Per Dollar framing:

We’re currently exposed to a potential $5M loss based on the current risk profile of these 50 assets.

Example calculation of “Security Per Dollar” using AI Defense Optimization

Step 1: Total Cost of Security Operations

You gather the annual security spend, including:

Step 2: Validated Risk Reduction

You use AI to simulate attack paths, validate tool effectiveness, and generate real data:

You conservatively estimate Validated Risk Reduction = $7M
 (based on reduced exploitable risk and avoided loss exposure)

Step 3: Apply the Formula

Security Per Dollar =  $7,000,000 (validated risk reduction) ÷ $6,500,000 (total cost) = 1.08

Break down by control, tool, and policy, showing:

What is AI-Powered Defense Optimization?

It was built around this idea: help security teams maximize the ROI of their existing security infrastructure.

  • Connects Your Entire Stack
    • Plugs into 150+ security tools via API.
    • Ingests telemetry, findings, configurations, identities, and policies.
    • Normalizes and maps them into a unified security mesh.
  • Creates a Living Digital Twin
    • Builds a dynamic, context-rich model of your environment.
    • It understands how assets connect, how controls interact, and where true risk lives.
  • Continuously Simulates and Validates
    • Runs real-world attack simulations in real-time.
    • Sees which paths are actually exploitable and which controls are working.
  • Automates the Fixes That Matter
    • Fine-tunes SIEM rules
    • Flags misconfigurations
    • Suggests and enforces policy changes
    • Surfaces only actionable alerts that reduce risk
  • Optimizes Logging and Reduces Waste
    • Only logs what’s relevant for active vulnerabilities and threats
    • Matches SIEM rules to real-world threat behavior
    • Filters out noise, amplifies signal, and reduces unnecessary spending on ingest

No more guessing. Just measurable, risk-adjusted outcomes, all with the stack you already have. That’s real ROI.

Will "Security Per Dollar" Stick?

We’re not claiming this is the answers here, just trying to get closer to a better one.

“Security Per Dollar” won’t solve every reporting headache, but it seems to be a useful lens. It forces us to think beyond dashboards and detections and ask: Are we actually safer? What did we get for what we spent?

For us, this concept has already sparked some internal discussions around how to measure validated risk reduction, how to surface the tools that are actually working, and how to justify decisions when the budget conversation comes around.

We’re going to keep experimenting with this framework, refining how we calculate breach loss exposure, and figuring out where it can help security teams make faster, more informed decisions.

Blog Tag:
Tool Sprawl
Share
LinkedIn
Linkedin
Youtube
Blog
View all
Platformization vs. Point Solutions - Tuskira
Tool Sprawl

The Debate Between Platform Bloat and Tool Sprawl

Explore
The Debate Between Platform Bloat and Tool Sprawl
March Madness: Static Defense Loses, Adaptability Wins
Defense

March Madness: Static Defenses Lose, Adaptability Wins

Explore
March Madness: Static Defenses Lose, Adaptability Wins
Critical Vulnerability CVE-2025-24813 - Tuskira
Vulnerability

Rapid Exploitation Alert: Critical Apache Tomcat RCE Vulnerability (CVE-2025-24813)

Explore
Rapid Exploitation Alert: Critical Apache Tomcat RCE Vulnerability (CVE-2025-24813)
View all