Cybersecurity as a revenue generator
In this article, our CISO and Co-founder Branko Džakula dispels the common myth that "cybersecurity is nothing more than a cost center" - well, it can be if you let it be, or you can turn it into a powerful revenue generator.
He covers a lot of ground here, from the cultural change needed to create a healthy security-conscious culture to direct guidance on how to leverage good cybersecurity practices and use them as a powerful marketing and sales tool. Enjoy and learn!
It is not a surprise to any security professional that the field of information security has a tough time reaching the board room of many companies, being top of mind of leadership and having the financial support it needs to succeed in its goals and support company objectives. But why?
- Companies refuse to implement cybersecurity due to a fatally wrong perception that it is a cost center with little to no benefits to the organizations business operations
- Companies implement cybersecurity to comply with minimum perceived level of requirements imposed by external parties, usually corporate clients, with no intention of actually practicing good cybersecurity
But what is the root cause of such behavior? Simple. Lack of proper education and awareness of top management on cybersecurity risks and benefits of implementing AND maintaining good cybersecurity practice.
How do we bring cybersecurity top of mind of leadership?
The perfect formula I’ve seen work in practice is a combination proper education and awareness, expectation management of interested parties and finally using the fruits of the security management program for driving company revenue. Education about company cybersecurity risks that are quantified and clear-as-day bring the leaderships attention to your program and get the support you need to start tackling risk mitigation.
Expectations from interested parties can be and usually are very high, such as expectations from users of digital services in data privacy and protection, transparency and availability, or expectations of big corporate prospects and clients in getting certified for ISO 27001 or obtaining a SOC 2 report. These external expectations can drive further your success in getting leadership support for the program, however these are short-lived solutions and only one part of the puzzle, the real catch is getting the leaderships longterm commitment to the security program and their ‘due to care’.
This is done through planning and communicating positive impact of your security program and how it can drive company revenue. Contrary to popular beliefs, If positioned correctly, there is a tremendous revenue opportunity in cybersecurity.
How cybersecurity drives revenue?
A strong cybersecurity posture will drive revenue higher, period. Let’s talk benefits:
Trust and customer confidence
Ensuring your business is secure proves you care. It demonstrates you are trustworthy, and when customers are at a dilemma they will choose a company that knows how to protect their data handling from cyber breaches. According to the research, consumers still do not trust large, global brands to secure their data. In fact, only 21% of consumers trust established global brands to keep their personal information secure. This lack of trust could be why nearly one third (31%) of consumers actively monitor the news for any potential breaches involving their information.
Competitive advantage
Strong security program will distinguish and differentiate your company, brand, product or service in your marketplace and in turn increase your market share. The best way to demonstrate this strength is to regularly and transparently communicate on your security practices, dedicate a Security public page on your website and show-off any security certificates or attestations you want to publicly share.
Stronger pricing options
When communicated properly, you will be able to legitimize higher prices and some will even find new revenue streams. It is a common practice to offer additional security features to your products at a higher cost or as part of a pricier tier, but be careful to not overdo it.
Stronger brand
Implementing and maintaining a good security program and marketing it to your customers will position your company, in your community and industry, as one that cares. You will benefit from an increase in customer loyalty and win brand champions as well as big deals. Big brands have work to do if they want to earn consumer and partner trust. Serving and protecting your customer will ensure the long-term reputation of your brand and in turn increase its value.
Operational excellence
If your system becomes infected by ransomware or other malware you might be forced to close and in turn experience the heavy cost of a cyberbreach. A strong cybersecurity posture will push operational efficiencies higher and reduce downtime and remediation costs. Program implementation for information security at the same time drastically improves resilience of IT infrastructure not just on cyber threats but also to threats to business continuity caused by other factors and shortens the recovery time between when the breach occurred and when you are fully operational.
Cybersecurity protects your business and data
Cybersecurity solutions and aggressive, persistent training will ensure your employees are not at risk from malware or phishing attacks. Prevention is cheaper than losses and while some would argue otherwise, a study conducted by the Ponemon Institute states “the average total cost of a phishing attack is $832,500 and of that 82 percent is spent on detection, containment, recovery and remediation. Respondents estimate 18 percent is spent on prevention. Thus, if the attack is prevented the total cost saved would be $682,650 (82 percent of $832,500).”
Increased productivity, efficiency and quality
Viruses slow down computers, at times making work practically impossible. Security programs eliminate this outcome and maximize your business’s output. Good security program allows employees to work securely from any location, whether they are in the office, at home, traveling or on vacation on company or personally owned devices, that further increases productivity as heavily tested and proven during the pandemic work from home period. Additionally, good security programs directly contribute to higher quality of your software products by introducing secure coding practices and vulnerability management, ensuring few to none shipped vulnerabilities to production.
Compliance
Security programs directly contribute to compliance with government and industry regulations like HIPAA, ISO 27001, GDPR, BSI etc. Communicating publicly your compliance milestones go a long way in contributing to your company reputation, trust and brand recognition.
Company value
All the above will contribute to a more valuable company, higher chances of winning bigger deals and earning customer trust and their business.
What it takes to get there?
Start by caring and add time, talent, treasure, and technology to truly capitalize on this opportunity. Caring is what drives the boat, it speaks to a company’s commitment to its clients and its desire to really delight the customer. This, coupled with security best practices including a layered security system, will differentiate your company from your competitors, enhancing your market position and adding tremendous value to your business. From this day forward you can leverage this catastrophe in your marketplace by stepping up your cybersecurity game. After all, your customers crave security and peace of mind like the rest of us. This is your opportunity to give them what they want before your competitors do.
I keep mentioning ‘good security program’, what makes a good one?
Information security is culture
This is not a deadline project. Like any culture, it requires effort and dedication to grow, and it requires human touch and care.
Everyone is responsible
Hiring information security leaders like CISO absolutely does not eliminate the duty of everyone else employee to practice good cyber security hygiene, follow company policy and follow the latest threats
Lead by example
Let’s repeat — culture is built around leaders. Without the commitment of management and care to build this culture, cyber security is blocked
Trainings and communication
Security awareness training is another great way to further promote and maintain a cyber culture security in the organization as well as frequent communication
Maintenance and smart growth
As you grow, it’s a good idea to consider the best approach to scaling your cyber security. Not only in terms of technology, but also with people. Follow proven best practices and frameworks like ISO 27001.
And what happens if I don’t care?
If you like to focus on the negative, we can do that too. A weak cybersecurity posture that leads to a breach could at best be harmful and at worst lethal in the following ways:
- Brand value and reputation — The long-term reputation of your brand is at stake. As Warren Buffett says, “It takes 20 years to build a reputation and five minutes to ruin it.”
- Customer trust — Customers want you to protect their privacy. Breaches often involve customer payment and other confidential information.
- Loss of customers — A breach can create customer turnover of 3.4%. Customers are becoming less accepting of security failures, according to Chief Security Office Online (CSO).
- Loss of revenue — A loss of customers means loss of revenue. Do the math. Model a 10, 20 and 30 percent loss in revenue. Now do a return on investment (ROI) calculation on the cost of a strong cybersecurity posture.
- Prospects — Potential leads will be hesitant to trust a business with a history of poor data security.
- Intellectual property — Losing your secret sauce, client database, etc. could negatively impact the competitiveness of your business especially if it falls into the hands of your arch rival.
- Litigation — You could be subject to litigation by your former client, a class action suit by a group of clients, and even a derivative action against the company’s officers and board of directors.
- Fines — You could be subject to fines under GDPR and other regulatory regimes.
- Denial of insurance claim — Check your fine print. More than likely your errors and omissions and cyber policies will not cover the cost of your breach if you did not do “cybersecurity right.”
- Company value — Virtually all the above will contribute to a reduction in the value of your company.
According to Malcom Gladwell’s book “The Tipping Point,” the tipping point is “that magic moment when an idea, trend, or social behavior crosses a threshold, tips, and spreads like wildfire.” I believe we have reached a tipping point because trust issues have spread like wildfire and we are crossing the threshold into a new world.
The choice is yours. You can be like everyone else and continue to view cybersecurity as a cost center. Or you can be first to market by seizing the opportunity with both hands and start to emphasize your expertise. The result will be a leadership position in the market. You will succeed by making data security and privacy your new competitive advantage.
You will build a new type of customer relationship — one that is win-win for you and your customers.