OT security teams present lists of critical vulnerabilities. Executives ask for Return on Investment. The conversation stalls because cybersecurity spending does not generate revenue; it prevents loss. At S4x26 in Miami, Hector R. Perez of Black & Veatch and Jacob Marzloff of Armexa presented a financial framework for OT security budgets that replaces ROI with Return on Mitigation (RoM), a metric that quantifies how much financial risk each dollar of security spending eliminates.
Why ROI Does Not Apply to Cybersecurity
ROI measures the return generated by an investment. It works for operational upgrades: a system that increases throughput by 15% has a calculable return. Cybersecurity spending does not increase throughput, reduce cycle time, or generate new revenue. It prevents losses that may or may not occur.
Hector R. Perez of Black & Veatch used a vehicle analogy at S4x26: spending on an engine upgrade that allows a car to drive 75 mph is an ROI calculation because it gets the driver to the destination faster. Spending $2,000 on a seatbelt does not get the driver there faster. It protects the driver if something goes wrong. Cybersecurity is the seatbelt.
When organizations evaluate security spending through an ROI lens, projects that increase operational efficiency (including AI optimization) consistently outperform security investments in budget competitions. The result is increased operational capability with increased cyber exposure.
Calculating Return on Mitigation
Return on Mitigation quantifies risk in dollar terms using the Cyber Risk Equation: Risk = Threats x Vulnerabilities x Consequences. The practical calculation uses Annualized Loss Exposure (ALE).
For an OT ransomware scenario: a facility estimates a 0.3% annual probability of an event that would cost $150 million. The baseline ALE is $450,000 (0.3% x $150 million). If segmentation and hardened remote access cost $110,000 per year and reduce the attack probability to 0.1%, the new ALE becomes $150,000. The risk reduction is $300,000 ($450,000 baseline minus $150,000 post-mitigation). Dividing $300,000 by the $110,000 control cost produces a 2.7x RoM multiple. For every $1 invested in this control, the organization mitigates $2.70 of quantified financial risk.
This calculation gives security leaders a number that finance teams and boards can evaluate alongside every other capital allocation decision in the organization.
Translating Technical Findings During M&A
The gap between technical findings and business language becomes most visible during corporate acquisitions. Jacob Marzloff of Armexa described how presenting a technical security assessment filled with unpatched systems or exposed passwords to a deal team is typically dismissed as a rounding error. If a risk cannot be expressed in dollar terms, it does not survive the due diligence process.
To secure remediation budgets during an M&A transition, security leaders need to map findings to the acquiring company’s corporate risk matrix. Lack of network segmentation becomes a single point of failure. A single point of failure becomes a severe operational outage with $10 million to $25 million in estimated damages. The remediation request of $100,000 represents less than 1% of the potential consequence. That framing changes the budget conversation from a technical request to a financial decision.
FAQ
1. How do you justify an OT cybersecurity budget?
Replace ROI with Return on Mitigation (RoM). ROI measures revenue generated, which cybersecurity spending does not produce. RoM measures loss prevented in dollar terms. Calculate the Annualized Loss Exposure (ALE) for a specific threat scenario, then measure how much a proposed control reduces that exposure. A $110,000 investment in segmentation and hardened remote access that reduces annualized risk from $450,000 to $150,000 produces a 2.7x RoM multiple, meaning every $1 spent mitigates $2.70 in quantified financial risk. That framing competes directly with other capital allocation decisions.
2. What does an OT ransomware attack cost?
The cost depends on the facility, but the calculation framework is consistent. Multiply the estimated probability of the event by its total cost to get the Annualized Loss Exposure (ALE). For a facility that estimates a 0.3% annual probability of an OT ransomware event costing $150 million, the baseline ALE is $450,000. After implementing segmentation and hardened remote access ($110,000 per year), the probability drops to 0.1% and the new ALE becomes $150,000. The $300,000 difference is the quantified risk reduction, which divided by the $110,000 control cost produces a 2.7x Return on Mitigation multiple.
3. How do you secure remediation budget after an acquisition?
Map technical findings to the acquiring company’s corporate risk matrix and translate each one into a financial exposure. Lack of network segmentation becomes a single point of failure with $10 million to $25 million in estimated damages. The remediation request of $100,000 represents less than 1% of the potential consequence. If a risk cannot be expressed in dollar terms, it is typically dismissed during M&A transitions. Security leaders need to frame every finding as a financial exposure with a proportional remediation cost.
Related from IIoT World
- 89% More Breaches: How Manufacturers Are Fighting Back
- Securing Automation: Why the Specification Stage Is the Right Time to Embed OT Cybersecurity
- Top 7 ICS/OT Cybersecurity Trends and Frameworks for 2026
This article is based on presentations at S4x26 in Miami, attended by Lucian Fogoros of IIoT World. Speakers include Hector R. Perez of Black & Veatch and Jacob Marzloff of Armexa. AI tools were used to help summarize and organize the content. Reviewed and edited by the IIoT World editorial team.