Security can be a line item that is like a black hole for CFOs and business leaders. PwC noted, “Cyber budgets in 2024 are increasing at a higher rate compared to last year.” Despite increased spend, the threats, risks, and costs are expected to mount in 2025.
How can you measure ROI for cybersecurity?
Return on Investment (ROI) is best calculated based on what adds value to your organization. Universities have a different definition of value creation than a regional credit union. Yet, no matter how your organization measures value, you can take the following approach to justifying investment and trying to calculate ROI for your organization when it comes to authentication and Identity Access Management (IAM).
Reason 1:
Investment in security reduces Business Disruptions.
Investing in stricter MFA to reduce risk and prevent costly business disruptions can be quantified to establish your ROI for security.
PwC reports: “Organizations who show greater maturity in their cybersecurity initiatives, report a greater number of benefits and a lower incidence of costly cyber breach of USD$1M, or a breach at all.”
Reason 2:
There is a direct correlation between MFA options and reducing risk.
Weighing costs against the increasing probability and the increasing costs of phishing leads to quantifying risk, which easily justifies adding MFA and more secure authentication options
Reason 3:
Streamlining workflows with faster biometric MFA increases productivity.
Outdated MFA methods and poor user training are productivity drains. Updating your MFA to passkeys and modern biometrics can simplify employee workflows and increase customer loyalty.
This blog will show the research for each of these reasons which should motivate every organization to reevaluate their current MFA policy and review if increasing security and flexibility within their authentication methods will increase productivity, reduce risks, reduce business costs and easily justify increasing their investment in the authentication options that are best suited for the success of their operations.
Which threats matter to your organization?
It is necessary to identify which threats are the most costly due to their time-consuming nature or frequency.
An analog to this is how a small water leak can do as much financial damage as a flood. A flood is visible, but a hidden leak can linger and do much more costly long-term hidden damage.
Source: PwC 2025 Global Digital Trust Insights
Ignoring the smaller incidents in security can lead to higher cumulative risk in the long run. If everyone writes down their complex password on a sticky note, your business risk has increased with complex password enforcement. Although password resets may seem like minor consequences of passwords, they cumulatively waste a significant amount of time and open the door to threat actors who may use social engineering penetration tactics. If increased employee productivity is a strategic goal, then streamlining MFA and including passkeys or other biometric access makes sense.
As pointed out by a “survey by Allied Market Research found that the biometric market is expected to grow to $68.6 billion by 2030. It’s no surprise when 79% of IT leaders now see biometrics as essential for secure digital transformation, according to a recent PwC report. These leaders recognize that the cost of implementing biometrics is outweighed by the potential cost of a single breach.”
Source:
https://www.finextra.com/blogposting/27181/the-secure-fingerprint-why-biometrics-have-become-essential-for-corporate-clients
How can security leaders and business executives speak the same language regarding ROI for security?
PHISHING
In 2023, IBM identified phishing as the number one infection vector in 41% of cybersecurity incidents. (IBM Security X-Force 2023). With phishing as the number one threat to organizations around the globe, both public and private, large or small, nearly all enterprises are seeking cost-effective ways to increase security without increasing operating costs and disrupting existing workflows. Most importantly, businesses want to maintain their productivity
MFA is a productivity tool
Multi-factor authentication (MFA) has been seen as a productivity inhibitor. MFA is perceived to slow business down. While many embrace SSO (Single-sign-on) as a time saver, MFA is seen as necessary only due to the weaknesses of passwords. But there are many different options for authentication
“Some, but not all, MFA solutions also mitigate phishing attacks. Given the prevalence of phishing as an attack vector, phishing resistance should be a key consideration when choosing an MFA solution.
Ranking Authentication Methods by Level of Risk and Security
According to CISA, “Some, but not all, MFA solutions also mitigate phishing attacks. Given the prevalence of phishing as an attack vector, phishing resistance should be a key consideration in choosing an MFA solution.” NSA and CISA joined together to provide comprehensive guidance available as BEST PRACTICES for Administrators for Identity Management.
Further guidance is also available in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-6315, NSA’s publication, Selecting Secure Multi-Factor Authentication Solutions, and the Cybersecurity Infrastructure Security Agency’s guidance on MFA.
BEST PRACTICES for Administrators for Identity Management
Source: NIST and NSA
Source:
Get your ROI here
Organizations are tracking and basing their satisfaction on the ROI that tools deliver. IT and security teams have realized that there is no point in owning feature-rich products if they are too complicated to use. G2 consolidates the feedback from customers. For MFA, ROI is something customers care about and provide feedback on. This is one of the areas where BIO-key’s PortalGuard platform stands out. In Summer 2024, PortalGuard was recognized for delivering the best ROI for MFA. According to G2: PortalGuard (https://www.g2.com/products/portalguard/reviews) delivers ROI on average in just 18 months for Enterprise customers. Despite the popularity and market dominance of other players, a differentiating factor in why customers choose PortalGuard is that they can be confident that they will get their money’s worth. As one customer said, “It does what I need, and for a great price compared to other products.” Another customer indicated that “We chose PortalGuard to replace a much more expensive portal solution and have never been more pleased.”
Part of the art of ROI is choosing MFA methods that can enhance productivity such as
- Authenticator apps: A widely adopted and convenient option for receiving verification codes on smartphones. PortalGuard offers MobileAuth.
- Biometrics: Fingerprint or facial recognition can provide a seamless login experience on supported devices.
- Push notifications: Instant alerts on devices to quickly approve login attempts
Potential pitfalls to avoid when implementing MFA for productivity:
- Excessive MFA prompts: Too many verification steps can significantly slow down user workflow.
- Outdated MFA methods: Relying on SMS-based verification, which is susceptible to phishing attacks, can compromise security and user trust.
- Poor user training: Not adequately educating employees on MFA usage can lead to confusion and frustration.
Don’t wait till 2025
Continually questioning whether the right solutions are installed is necessary to stay ahead of threat actors. Having MFA solutions in place is not the same as choosing the right MFA solutions that optimize security, and productivity in order to get the ROI you deserve for your efforts.
About the Author: Mary Roark, CISSP
Mary is a seasoned leader and strategist in the cybersecurity domain. She holds a CISSP credential, a BSEE, and an MBA. I am passionate about security technology that easily and quickly secures people, data and business.- LinkedIn: https://www.linkedin.com/in/maryroark/