The CISO's $4M Question: Which Pre-Breach Investments Actually Move the Loss Curve

The IBM 2025 Cost of a Data Breach report put the global average breach cost at $4.88 million, a number that has become a reflexive citation in security board decks. The number is correct. It is also nearly useless as a decision input on its own, because the cost varies by an order of magnitude based on industry, region, and which controls were operational at the time of the breach. The decision-relevant question is not "what is the average?" It is "which controls actually move the average down for an organisation that looks like ours?"

The good news is that the same data sets that produce the headline number also segment cost by control. Looking at the IBM 2024–2025 segmentation, the Verizon DBIR 2024 incident classification, and our own engagement data over the last three years, a small number of investment categories show consistent, large reductions in measured breach cost. Most popular security investments do not.

This piece is the segmentation. It is opinionated. It will be useful to a CISO building a budget defence and to a board member trying to push back on a budget that is trending up without a corresponding risk story.

The four categories that actually move the curve

The investments below show breach-cost reductions of $0.5M to $2M+ in the published segmentations, and align with what we measure in our own engagements. They are not the most fashionable categories on a vendor's roadmap, which is partly why they remain underfunded.

1. Mature incident response capability, exercised under realistic conditions

A documented incident response plan that has been exercised in the last twelve months reduces breach cost by a measured $1.49M in the IBM 2024 data. Note the qualifier: exercised. Not "documented." Not "approved." A plan that has been read but never tested provides almost zero risk reduction in the data.

What "exercised" actually means: at least two unannounced tabletops in the year, a measured response timeline (page → triage → containment → notification), an executive limb of the response that has actually been tested under non-comfortable conditions, and a notification process that has been timed end-to-end against regulatory deadlines.

This is the single highest-return investment in breach reduction in the public data, and it is also one of the cheapest in absolute dollars. The reason it is underfunded is that it does not produce visible artefacts the way a tool deployment does. There is no dashboard for "we exercised our response plan well this quarter." Mature security organisations build that dashboard anyway.

2. AI / ML-enhanced detection, deployed against the right surface

Organisations using AI / ML in the security stack saw average breach costs $1.76M lower than those without (IBM 2024). The size of the effect surprised most people. The mechanism is not the technology itself; it is the time-to-detection compression.

The qualifier here is "deployed against the right surface." AI in a SIEM that is fed only network telemetry produces marginal gains. AI in a detection stack that includes endpoint, identity, and cloud control-plane telemetry produces the measured effect. The investment is not in the AI; the investment is in the underlying data foundations that make the AI useful.

We see organisations buy the AI feature without the underlying data work and report disappointment. The data is right; the sequence was wrong.

3. Encryption everywhere it actually matters

Extensive encryption (at-rest, in-transit, in-use where supported) reduces breach cost by $0.49M (IBM 2024). The "extensive" qualifier matters: organisations that encrypt the obvious things (databases, backups, network channels) and ignore the less-obvious things (CI/CD secrets, SaaS-to-SaaS API keys, shared file storage in collaboration platforms) get a much smaller effect.

The right operating model is the cryptographic register we discussed in the NIS2 article: a single source of truth that maps every key to the data it protects, with an owner, a rotation policy, and a usage audit. Without that register, encryption is a series of project decisions; with it, encryption is a managed control.

4. Identity and access controls executed at the operational level

This category is hard to find a single number for, because it appears in the IBM data spread across "credential compromise" attack vectors and "stolen / compromised credentials" cost segments. Aggregated, it is the most expensive single attack vector in the public data: breaches involving compromised credentials cost $4.81M on average and take longer to identify.

The control that actually moves this number is the identity attack-path discipline we covered in the zero-trust piece: privilege graph computed weekly, action-level audit, and the four-move identity programme. Generic IAM tooling deployment without this operational layer does not produce the cost reduction.

What does not move the curve as much as you think

A second list of investments shows up frequently in security budgets but produces smaller measured cost reductions, or reductions that depend so heavily on prerequisites that the standalone purchase rarely lands.

Cyber insurance. Useful for risk transfer, not a control. The insurer also requires the controls in the four categories above before underwriting at reasonable premiums, so the insurance line item is downstream of the control work, not a substitute for it.

Threat intelligence subscriptions. Often genuinely useful for detection engineers and red teams. Rarely producing a measured breach-cost reduction in the data because the intelligence is not reaching the operational decisions where it would matter. We see organisations buy multiple TI feeds and consume none of them in detection content.

Compliance certifications, by themselves. ISO 27001, SOC 2, PCI DSS, HITRUST. Useful for sales motion. Useful as a forcing function for some of the four categories above. Not a measured breach-cost reducer when treated as the goal rather than as a vehicle.

General-purpose SIEM. Without the detection-engineering discipline we covered previously, a SIEM is a data lake with alerts. The IBM data shows breach-cost reductions for SIEM users only when paired with mature detection engineering. The SIEM line item without that pairing does not move the number.

This is the conversation board members rarely have with their CISOs. The CISO's budget defence almost always emphasises tooling. The data emphasises capability. The two are not the same.

A defensible budget framing

If you are a CISO building next year's budget against a board that is going to ask hard questions, the framing that holds up under scrutiny is:

1. Three to four explicit risk reduction targets, each tied to a measurable breach-cost lever from the public data and to a current weakness in the programme.
2. Each target supported by capability investments first, tooling investments second. People time, exercise time, governance time, and only then tools that the capability needs.
3. Each target produces a quarterly metric that reflects the reduction, not the activity. Time-to-detect for a credential leak. Privilege graph size. Encryption coverage of the cryptographic register. Exercise count.
4. An explicit statement of what is being deferred. Boards trust CISOs who say "we are explicitly not investing in X this year because the prerequisites are not in place." They do not trust CISOs who appear to be investing in everything.

The $4.88M number is not the question. The question is which $0.5M, $1M, and $1.5M reductions you are credibly buying with next year's budget. A defensible answer cites the public segmentations, names the levers, and ties them to capability work. That is the conversation that changes the budget approval dynamic.

Where this connects to our practice

Pelican Tech's Risk Management and Threat Analysis practice builds this kind of budget defence as a deliverable. We start with where the organisation actually stands against the four categories above (most have one strong area and three weak ones), produce the segmented loss-expectancy reduction the proposed investments would buy, and build the quarterly metric stack that keeps the board informed without theatre. We work alongside our SIEM/SOAR team when the binding constraint is detection content rather than coverage, and with our identity team when the credential-compromise vector is the dominant cost driver, which it usually is.

If you are heading into next year's budget cycle and the case for security spend is currently a tooling list, that is the conversation to have with us in advance.