2025-12-06 –, Track 3
Security teams often need to balance what they want to implement with the security budgets available to them, running into the question “What is the ROI?” to sell the value to the business.
This talk bridges the gap between hacking and the boardroom by showing how to measure the Return on Security Investment (ROSI) of a bug bounty program.
Using real breach cost data from IBM, attack vectors from Verizon’s DBIR, security maturity insights from security maturity frameworks, and data from global bug bounty programs, this talk will walk you through a methodology to translate vulnerabilities into financial impact, avoided losses, and strategic value. Attendees will leave with a practical framework and examples they can use to justify, defend, or expand a bug bounty program inside their own organizations.
Bug bounty programs often start as a technical experiment — but to scale, they must prove their worth in financial terms. This session will dive into how to build a defensible, data-backed business case for bug bounty programs, using ROSI (Return on Security Investment) models.
We’ll explore:
o Why ROSI: Recapping why the return on investment for a security initiative requires different approach than standard ROI models
o Why this matters now: Breach costs are at an all-time high, exploited vulnerabilities as initial entry points have surged, leaving technical buyers in a complex landscape to decide where they will get the most bang for their buck
o How bug bounty programs fit into software security maturity to help mitigate risk
o A step-by-step ROSI model for bug bounty programs: run through of a model to map breach probabilities, breach costs , attack surface coverage and asset maturity to quantify the value of a Bug bounty Program
o Real world case studies based on redacted data from multiple bugbounty programs showing how programs shift from “bug hunts” to “trust and resilience enablers.”
o A practical playbook: how to pitch ROSI to the business for your next initiative
As the CRO at Intigriti, Harry leads the revenue functions that drives growth. With over 20 years of cybersecurity experience and a deep technical background in security testing, adversary simulations and incident response, he has led numerous projects for multinational organisations, with a focus in the financial services/ telecoms sectors across Europe, US, Singapore and Africa.
As part of the early founding team at MWR InfoSecurity in the 2004, he had a front line seat on the global expansion rollercoaster of MWR from a small startup in the UK to an international research led security consultancy, until MWR's acquisition in 2018.
Harry joined Intigriti in 2020, at an exciting time as Intigriti went from startup into scale-up phase and bug-bounty and crowdsecurity started to become more mainstream.