Improving Your Bottom Line With Cybersecurity

Cybersecurity budgeting is one of the most peculiar efforts today in corporate strategy and planning. For a cyber leader, requesting a budget is unfortunately more art than science. This is because measuring and communicating cyber risk is notoriously difficult — the threat is always morphing, enterprise vulnerability is fluid, and business impacts are far-reaching and tough to calculate. To justify budget requests, cyber leaders inevitably incorporate headline news that instills fear, uncertainty, and doubt. Here, leaders seek to influence through emotion. This process happens year over year, all to increase cybersecurity spending slightly. A couple more dollars here, a little more capability there, often with few measurable gains.

This awkward ritual creates two bad, interrelated business outcomes:

• Cyber programs are underfunded to do the job — resulting in reactive and inefficient spending later.
• Business leaders see cyber as just a necessary cost of doing business — a tax payment they’d rather spend elsewhere.

Fortunately, there’s a new mindset available, which some companies are practicing. This is a shift in thinking, focusing on cybersecurity’s undeniable strategic importance to the health and prosperity of today’s digitally minded companies (and who isn’t “going digital?”). Leaders are beginning to see cybersecurity as a means to improve their bottom line — and there are specific ways you can use it for this purpose.

How Cybersecurity Can Improve the Bottom Line

The right cyber investment can shed massive enterprise costs over the long term. It can also improve an organization’s appeal to customers, thereby increasing the opportunity for new and enhanced revenue streams. The scope for this opportunity is also expanding, moving beyond enterprise IT to the full business ecosystem — suppliers, R&D, production, products, services, and more.

Reduce costs. When properly orchestrated, cybersecurity can reduce costs by:

• Minimizing business impacts (for example, operational, financial, regulatory) of cyber risks.
• Lessening the remediation costs of cyber incidents by introducing capability to reduce incident volume and/or quickly contain incident sprawl.
• Uncovering related business capabilities that require cost-minded improvements (for example, crisis management, supply chain management), by conducting cyber-readiness exercises.

Increase revenue. Companies can use cybersecurity to support revenue by:

• Providing a differentiating and marketable trait to gain customers, increase transaction size, and charge premium prices.
• Accruing new revenue sources by adding security capabilities (for example, monitoring, response) into an existing product/service portfolio.
• Using security services for long-term “stickiness” with customers, keeping sales channels open for a range of offerings.

What Forces Are Shaping This Opportunity?

The concept of cyber monetization may fly in the face of conventional wisdom, so below we’ll dig into the forces behind this opportunity. The first point explores how paying attention to cybersecurity up front will help you reduce costs, while the latter articulates your opportunities for increased revenue.

Point No. 1: Successful digital transformation depends on cyber investment. A favorable digital transformation — in whatever form that takes — is dependent on infusing cybersecurity as a foundation. A recent Cisco study found there’s an estimated $5.3 trillion in private sector value at stake over the next decade. Sixty-eight percent of this value depends on making cybersecurity core to that transformation. Specifically, building strong cyber defenses for seven specific use cases will deliver $1.8 trillion in value.

Every company is exploring how emerging technologies can improve business. Whether you’re instigating wide-scale cloud migration, harnessing the power of smart manufacturing, or laying an AI foundation for better customer experience, your business’s infrastructure is changing. The capital outlays needed here are staggering. To improve the odds that your business will accrue the anticipated benefits and not be wrecked by costs from downstream cyber incidents, you need to infuse security into the infrastructure foundation from the start. Pay a little now, or a lot later. From moment one of any technology initiative, cybersecurity principles and practices must be a core tenet that leaders insert into strategic and operational plans. Simply put, transformational bets will have better returns with proactive cyber investment.

Point No. 2: Cyber drives buying decisions. Many customers are now making cybersecurity part of their buying calculus. In health care, a recent technology study showed that medical providers are deeply considering cybersecurity when choosing what suppliers to buy from. In the automotive industry, automakers banded together to create third-party cyber risk-management guidelines to improve partnership decisions. Similarly, your opportunity to do business with the U.S. Department of Defense is now further dependent on how effectively you embed cybersecurity practices across your ecosystem. And lastly, there’s the everyday consumer. As IoT devices continue to permeate our world, individuals buying home security and related systems will look for cybersecurity as a core feature.

This trend creates a revenue-capture opportunity. Buyers have shown they’re looking for much more than “bare minimum” compliance. They want to see thoughtful design and implementation of a supplier’s cyber program, diligence in appropriating the right budget, exceptional talent, and the right technology to underpin it all. And they’re willing to pay. By differentiating at this opportune moment, you can improve your market positioning and establish yourself as a cyber-secure brand that people seek out.

How to Properly Monetize Cybersecurity

With a market that’s ripe for action, let’s analyze four key moves:

Gauge your specific opportunities. First, determine how your business model and underlying technology infrastructures might change over the coming years. Maybe you’re deploying a predictive maintenance capability across your product base, or you’re banking on an edge-computing model. Every major initiative represents an opportunity to infuse cybersecurity. Next, look outward. Understand your industry’s trends, evolving regulations, and customer buying formulas. Identify opportunities (such as your commitment to securing their IP or vigilantly “hardening” IoT products) to capture their attention and demonstrate you’re the right partner for the long haul.

Establish top-level internal support (and funding). Next, it’s time to shift mindsets at the top of your enterprise. Executive advocacy is critical, because you’re seeking to elevate cybersecurity as a strategic pillar for how your company thinks and operates. When you run into challengers who seek to disrupt your mission, such as those fixated on customer acquisition or lean operations, you’ll want the C-suite in your back pocket. When you find senior disciples, latch on to them. Key leaders that believe in cyber monetization will help you expand influence in the right forums. With the right plan and senior advocacy, you’ll be more likely to get the job done. Funding should come from several places — some central funding will be key, but business units need to allocate resources as well, such as skilled liaisons committed to helping this networked effort succeed.

Build the capability (in the right places). It bears repeating that you need to think more broadly than traditional defensive cyber objectives. Yes, you must thoughtfully secure the IT environment, while expanding capability into all cyber-relevant areas of the business (that is, the attack surface). Nontraditional leaders across the business (for example, in procurement, product development, and manufacturing) will be key pieces to this puzzle, as each of their respective domains may need new cyber requirements, processes, or technologies embedded into localized strategies and operations. Bringing this capability to life across the business requires centralized, highly coordinated orchestration, so plan to make a person or group accountable for it. It may be ideal to select your foremost cyber leader (for example, your chief information security officer) to drive things, but if their mission is already too expansive or their time is better spent on internal cyber defense, you may need to go another route. Last, systematically exercise your capability to gauge coverage and effectiveness — you’ll discover surprising new opportunities for the business.

Communicate your cyber strengths. As you implement appropriate cybersecurity capability across the business, it’s time to “sell” it to the outside world. Your customer base needs to interpret it as a strategic differentiator. They need to see and believe in the cyber investments you’ve made and be educated on the value of those investments. Communication will take hard work, but fortunately, you can lean on established mechanisms, such as corporate strategy and marketing functions. Just as you’ve made other “differentiator” bets in the past, you have a new opportunity here to enhance your market position and create tremendous value for your business.

We’ve reached a tipping point, where the right cyber investment can improve a company’s bottom line. Businesses can use cybersecurity to assure their digital transformation bets while positioning the business to capture new and enhanced revenue streams. Those companies that act seriously and aggressively now will establish advantageous market positioning and be greatly rewarded over the long haul.