Beyond the Cost Center Fallacy
By Vesko Pehlivanov
What is cybersecurity in a business sense? Is it a cost center or is it a revenue generator? As tired as this question is, many executives attempt to put security into either one of those buckets. But regardless of which side you choose, both options fundamentally misframes the role of cyber and creates a false dichotomy between security investments and business growth. Why?
In business, there are three levers to grow: revenue, cost, and risk. With this in mind, the goal is straightforward—increase revenue, reduce costs, and maintain risk within acceptable parameters. However, in practice, security doesn’t necessarily fit into all of these neatly.
The Primary Function of Security
Cybersecurity has notoriously been hard to “prove” its value. Every day without incident is a win, but all of us know that this is not as easy as it sounds. From an outsider’s view who doesn’t know all of the moving parts, it is very tempting to think, “No incidents? Great, then let’s reduce the budget. It looks like sunny skies and smooth sailing from here.” And once you go down that slippery slope, too many things go wrong.
If it isn’t a cost center, then can it be a revenue generator? It rarely is, but it can be, especially if you’re a security vendor who can bill for products or features. However, going too far down that route will burn goodwill within the industry and might land you on a “most wanted” list like the SSO Wall of Shame.
Ultimately, security’s primary function is risk management for the business. Any business understands risk explicitly or implicitly as executives have to make risk-based decisions on a daily basis. As a risk management function, security should be treated separately from revenue generation and cost centers—being defined by its own value. It needs to be treated as a set of value-driven business services.
Transforming into a Service Mindset
Why services? Services are defined by the value perceived by its customers, not by the practitioner. For example, while I may be fine with a buzz cut, my wife most definitely would not and would never let a pair of clippers get anywhere near her hair. So taking it back to security, as an industry we need to adopt the same mindset and produce successful achievement of the outcomes expected by our internal and external customers. But to do that, we need clearly defined metrics that can demonstrate that those outcomes are achieved.
Measuring Service Effectiveness
There are four key properties of services that need to be measured on an ongoing basis:
- Effectiveness
- Quality
- Efficiency
- Risk
Let’s borrow from my previous example for some context. In terms of a service, I have certain expectations for what I’m paying for and the results I expect to see. If I was to get a haircut, I would expect my hair to be shorter than when I came. However, even though my barber was “effective” in achieving that, there’s more that matters. Was it of good quality? Sure, completely shaving my head would fit the criteria for “shorter hair,” but it’s definitely not the service I was expecting!
Additionally, even if my barber gave me the exact cut I wanted, what about the cost to value? Would the best buzz cut in the world warrant a price tag of $100? Maybe to some, but not to me. Also, let’s not forget about risk. If at any point my barber gives me a nasty cut with a razor, it doesn’t matter if they went above and beyond in providing the service. I’d still be pretty unhappy as a customer!
Putting the Model into Practice
By Chris Camacho
If we want to operationalize a service and value driven approach to cyber, there are three ways for security leaders to do so:
- Align with business outcomes
- Define service-level metrics
- Build a feedback loop
Aligning with Business Outcomes
Start at the top. If you want to shift to a service-driven security model, collaborate with your executive board to agree on expected outcomes. Link security strategy directly to specific business objectives. This could mean building customer trust through data protection, ensuring business resilience, maintaining regulatory compliance, or accelerating the secure adoption of new technologies.
Defining Service-Level Metrics
For each security service you intend to provide, define clear metrics for effectiveness, quality, and efficiency. Being effective will mean a reduction in incident rates. Having high quality might mean seeing reduced friction or complaint volumes. For efficiency, consider optimizing unit costs, or cost per risk mitigated. This could involve improving process automation, introducing self-service capabilities, or simplifying your tech stack.
But don’t forget about risk! Try to ensure that there are no surprises. No outages from fail-close controls and no botched incident responses.
Building a Feedback Loop
Implement robust operational practices. Set Service Level Objectives (SLOs) with your stakeholders. Your KPIs, KRIs, and OKRs should directly tie back to these SLOs, which will result in continuous improvement. Then, make sure to report in terms of the business impact, not just security activity.
Why This Matters More Than Ever
Embracing this shift transforms your security teams from a perceived cost center into a strategic partner, speaking the language of business value and demonstrable outcomes. How does your organization currently measure the value of its security function? Security is entering a new era—driven by automation, AI, and an expectation to “do more with less.” If we don’t evolve how we communicate value, we risk being sidelined or starved of investment.
About Vesko Pehlivanov
Vesko Pehlivanov is a seasoned cybersecurity executive and former Director of Security Engineering at ID.me. He led transformative initiatives across cloud, infrastructure, and security operations—helping modernize security pipelines and drive strategic investment. Vesko was an early enterprise buyer of Abstract Security and remains a passionate advocate for security teams focused on operational excellence.