While leading a cyber incident response, a client asked me how they could justify buying preventive security equipment to their executives. This is the same story that security professionals are faced with all the time. In companies where IT is not the primary revenue stream, security is always, has always been, and will always be a pure cost. By pure cost, I mean that security contributes no direct income to the bottom line. Of course, academics and IT gurus blog frequently about risk and how security keeps the revenue stream from drying-up; just look at companies that have lost millions due to cyber breaches. Unfortunately, in these cases, security can only be described as having an indirect influence on the bottom line. Stockholders and members of the board (in my experience) have a hard time understanding the minor nuances of indirect influence on revenue. I’m not going to go into the details on why business analysts and consultants make a ton of money determining the true cost of anything, but suffice to say that direct costs are easy to equate and indirect costs are more challenging. Of the indirect costs, security proves to be one of the more difficult.