The cybersecurity statistics that actually build a CFO-ready business case in 2026 are the ones tied to dollars and traceable to a primary source: average breach cost, the breach lifecycle, the savings from security AI and automation, and buying-complexity context. Below, each figure is cited to the IBM Cost of a Data Breach Report, Gartner, or Forrester—never a secondary aggregator.
Use these as benchmarked inputs to a model, not as standalone scare facts. The method for turning them into an approved business case is in how to quantify cybersecurity ROI for the CFO.
Sourcing note. Every figure below is attributed to a named primary source—the IBM Cost of a Data Breach Report, Gartner, or Forrester—with a link. The IBM figures are from the 2025 edition (the most recent at the time of writing); refresh them when IBM publishes the next edition, and never substitute a number from a secondary aggregator.
What the average data breach costs (IBM)
The average data breach cost USD 4.44 million globally, according to the IBM Cost of a Data Breach Report 2025—a 9% decrease from USD 4.88 million the prior year, and the first decline in five years, which IBM attributes largely to faster detection and containment driven by security AI and automation. The regional picture is more pointed: the United States hit a record high of USD 10.22 million, up 9% year over year.
This is the single most important benchmark in a cybersecurity business case, but it must be used carefully. The USD 4.44 million figure is a global average across all industries and company sizes; using it unmodified for a small buyer overstates exposure, and using it for a large US enterprise badly understates it. The correct practice is to take the IBM figure for the buyer's specific region and industry and adjust to their profile. By sector, healthcare remained the costliest industry at USD 7.42 million per the same report—so a sector adjustment can move the impact figure by millions.
Why the breach lifecycle drives cost (IBM)
The breach lifecycle—the time to identify and contain a breach—drives breach cost, and it is one of the most actionable statistics in a security business case. The IBM Cost of a Data Breach Report 2025 found the global mean time to identify and contain a breach fell to 241 days, the lowest in nine years (158 days to identify plus 83 days to contain), down from 258 days the prior year.
The lifecycle matters financially because longer breaches cost more, which is what makes detection-and-response speed a quantifiable value driver: a control that shortens the lifecycle reduces expected loss directly. Breaches involving stolen or compromised credentials took the longest to resolve—about 292 days per the same report—which is why identity-related controls have a strong lifecycle-based business case.
How much security AI and automation save (IBM)
Security AI and automation produced one of the strongest single data points IBM measured: organizations using them extensively spent an average of USD 3.62 million per breach versus USD 5.52 million for organizations that did not—a saving of nearly USD 1.9 million—and cut the breach lifecycle by roughly 80 days, according to the IBM Cost of a Data Breach Report 2025.
This statistic is unusually powerful in a business case because it directly attaches a dollar figure to a category of control, rather than to risk in the abstract. For any product that automates detection, response, or prevention, it provides a benchmarked, primary-sourced estimate of the value driver. As always, it should be adjusted to the buyer's exposure rather than applied as a flat USD 1.9 million credit—the saving scales with the buyer's underlying breach cost.
What security spending looks like (Gartner)
Gartner forecasts worldwide end-user spending on information security each year, and that forecast is the right primary source for the market-context section of a business case—the part that establishes security as a board-level budget priority rather than discretionary spend. Gartner projects worldwide end-user spending on information security to total USD 213 billion in 2025, up from USD 193 billion in 2024, and forecasts spending to grow a further 12.5% to USD 240 billion in 2026, citing rising threats and the expanding use of AI by both defenders and attackers as key drivers.
The reason to source spending context from Gartner specifically is credibility: a CFO recognizes Gartner as an independent analyst, so a Gartner spending trend carries weight that a vendor's own market claim does not. Pair the spending trend with the IBM breach-cost trend to show both that the threat is growing and that peers are funding the response.
The buying-complexity context (Gartner)
Cybersecurity purchases are complex, multi-stakeholder decisions, and Gartner's B2B buying research quantifies why a written, defensible business case is essential. Gartner research on the B2B buying journey finds that 77% of B2B buyers describe their most recent purchase as very complex or difficult, that a typical buying group involves six to ten decision makers, and that buyers spend only about 17% of their total purchase time meeting with potential suppliers.
For security deals, this context is decisive. A purchase that must satisfy a CISO, IT, compliance, procurement, and finance—most of whom deliberate when the rep is not in the room—is won or lost on the strength of the artifact the champion carries internally. That argues directly for a quantified, auditable business case over a technical pitch. The discipline behind building one is covered in what value engineering is in B2B sales.
ROI methodology and market research (Forrester)
Forrester is the right primary source for methodology—specifically its Total Economic Impact (TEI) framework, the most widely recognized independent approach to quantifying the ROI of a technology investment, used for more than 20 years. Citing the TEI methodology signals to a CFO that the business case follows an established analyst framework rather than a vendor's improvised math.
TEI evaluates an investment across four components—benefits, costs, flexibility, and risk—and that structure is exactly what a finance reviewer expects to see. If you cite a specific Forrester TEI study or a Forrester security market statistic, link to that specific report and quote its figure exactly rather than generalizing a single commissioned study into an industry-wide claim.
The practical use of Forrester in a security business case is twofold: adopt the four-component TEI structure to organize the case, and cite specific Forrester security research where it applies to the buyer's category. Both reinforce that the analysis is grounded in independent methodology.
How to turn these statistics into a business case
To turn these statistics into a CFO-ready business case, use them as benchmarked inputs to an expected-loss model—not as a list of frightening facts. A statistic on its own ("breaches cost USD 4.88 million") persuades no one in finance; the same figure, used as the impact term in a probability-adjusted model, becomes evidence.
The workflow is direct: take the IBM breach-cost figure (adjusted to the buyer) as impact, apply a likelihood from the buyer's incident history to get expected loss, layer in the IBM security-AI-and-automation saving and the detection-time benefit as supporting drivers, and frame the whole thing against Gartner's buying-complexity reality. Keep every assumption visible and sourced so the CFO can trace each number—the failure mode of ad-hoc models is covered in why spreadsheet business cases collapse.
ValueNova is an AI-powered value engineering platform that helps B2B sales teams build repeatable, CFO-ready business cases. For security teams, that means these primary-sourced benchmarks are built into the model rather than re-researched on every deal. For the tooling category, see business case software for cybersecurity sales teams; for the modeling method, how to quantify cybersecurity ROI for the CFO.