Information is power. It is also a source of profit, whether it’s customer data, intellectual property or financial information. Protecting this revenue stream should be priority one for the C-suite. And it is – for the CSO, CISO, CIO or other security-minded executives. For CEOs, CFOs and others with financial responsibilities, the case for investing in cybersecurity is not so clear-cut.
In fact, it’s quite the reverse. Any cost not directly impacting productivity or improving margins is considered an area for reduced spending in order to improve profitability. All too often, however, C-suite executives are willing to cut corners in their cybersecurity infrastructure to save a few quick dollars, only to suffer the consequences of a data breach or other network issue down the road. The short-term cost savings from skimping on infrastructure, staff or other resources, or not performing a risk assessment, are replaced with a long-term impact on earnings.
This comes from the mindset that cutting cost is equal to generating revenue. When it comes to cybersecurity, the C-suite needs to shift perspective and see revenue from the outside in. For example, a data breach is a reduction of revenue, not just a cost to the business in fines. That’s because a breach results in loss of trust, proprietary information, trade secrets and consumer confidence. On the other hand, investing in cybersecurity and breach preparedness creates trust, boosts consumer confidence and incites innovation – all generators of revenue.
Making the Case for Cybersecurity
Fortunately, it is possible for cost-conscious executives to see the financial benefits of a solid, well-invested cybersecurity posture. This can be done with a well-thought-out integrated security program without breaking the bank. During my years in finance, I’ve seen CEOs and CFOs embrace cybersecurity as critical to growth. Here’s how:
- Make cybersecurity part of your organization’s DNA. CEOs set the tone for an organization. If they lead with security in mind, their employees will follow. This top-down approach ensures security is integrated throughout the organization and promotes a collaborative approach to risk management – rather than placing responsibility on the IT team, CISO, or CTO.
There are several ways to make security part of your organization’s culture. IT security can perform social engineering tests and discuss results. They can make security training fun and enjoyable, yet realistic and easy to implement. Consistent training programs that are interactive make employees feel like they are learning, instead of having their hands slapped. Team-building activities such as brown-bag cybersecurity lunches or reminder cards for employees can help to keep cybersecurity awareness top of mind. Openly integrating security into conversations and meetings – for example, discussing the latest data breaches in the news and how they occurred – is a good way to highlight spear-phishing, malware and the social leaking of information, and talk through how to minimize these threats. Creating a holistic and positive company culture can also help to mitigate disgruntled employees and breaches.
- Understand the real benefits. To appreciate the value of cybersecurity, be prepared to justify the costs. Documenting them well will help CFOs understand the costs of cutting corners. A few more tips:
- Use a reliable method for calculating cybersecurity financial benefits.
- Think outside the box from traditional ROI methodologies. Consider having a Business Impact Analysis (BIA) done to help evaluate your organization’s customized needs. A BIA provides a method to define how specific organizational units and capabilities (in this case, IT) substantially support the accomplishment of the organization’s mission as well as to quantify the consequences of disruptive events, breaches, and other adverse occurrences. The process requires significant stakeholder involvement in order to be effective. The collaboration required ensures that the conclusions drawn reflect the knowledge and expertise of the organization’s stakeholders.
- Know your risks and the costs of those risks. A risk or gap assessment can help you clearly identify these.
- Understand the expected financial losses from a breach or other threat, including the costs of lost customers and insurance rates and ratings.
- Know the solutions available to mitigate or avoid these risks – and the “shelf life” of these solutions.
- Evaluate infrastructure from a growth and longevity perspective. In an effort to cut costs, it may be tempting to purchase end-of-life or end-of-sale infrastructure. That’s a big mistake. To understand your true cost-benefit picture, it’s critical to calculate the cost of your risk and the longevity of your infrastructure. Simply spending less now only to replace everything in two or three years will only cost more in the long run. Additionally, analyze your three- to five-year business trajectory and build cybersecurity infrastructure and policies from the beginning for growth.
- Work with a trusted partner to provide managed security services. Your vendor should have a depth of security experience with an experienced, trusted and security-certified staff. A good managed security services provider (MSSP) will be a partner, collaborating between security and IT, creating a dynamic where security helps the IT team see its blind spots. Because cybersecurity is a hot industry, many are using the term to promote their business – even though they have few or no qualified, experienced employees. If you don’t have the budget for a dedicated IT staff, then a reputable security services vendor can work with you to ensure that all devices are kept up to date with the latest firmware and security patches/releases. They can also perform critical annual or bi-annual assessments – critical to managing risks and identifying gaps.
- Plan for a data breach. Let’s face it, we live in the real world, and nearly all organizations will inevitably face a data breach. Ensure your organization has a Disaster Recovery and Business Continuity Plan which includes an incident response plan and that it’s kept up to date and tested annually. This helps to mitigate the damage and get your organization back up and going with clear direction in the midst of a highly stressful situation.
The time is overdue for cybersecurity to become a priority for the C-suite. Rather than a necessary evil or an easy place to cut costs, cybersecurity is critical to an organization’s financial health and profitability. What is the return? Consumer and customer trust, innovation and growth. Data breaches and other security threats put valuable information at risk, which can cost a business precious revenue in terms of downtime, loss of consumer confidence and diminished trust. On the other hand a strong cybersecurity posture protects valuable assets and creates a vibrant workspace where growth and innovation can prosper.