Cybersecurity budgeting is one of the most peculiar efforts today in corporate strategy and planning. For a cyber leader, requesting a budget is unfortunately more art than science. This is because measuring and communicating cyber risk is notoriously difficult — the threat is always morphing, enterprise vulnerability is fluid, and business impacts are far-reaching and tough to calculate. To justify budget requests, cyber leaders inevitably incorporate headline news that instills fear, uncertainty, and doubt. Here, leaders seek to influence through emotion. This process happens year over year, all to increase cybersecurity spending slightly. A couple more dollars here, a little more capability there, often with few measurable gains.
This awkward ritual creates two bad, interrelated business outcomes:
- Cyber programs are underfunded to do the job — resulting in reactive and inefficient spending later.
- Business leaders see cyber as just a necessary cost of doing business — a tax payment they’d rather spend elsewhere.
Fortunately, there’s a new mindset available, which some companies are practicing. This is a shift in thinking, focusing on cybersecurity’s undeniable strategic importance to the health and prosperity of today’s digitally minded companies (and who isn’t “going digital?”). Leaders are beginning to see cybersecurity as a means to improve their bottom line — and there are specific ways you can use it for this purpose.
How Cybersecurity Can Improve the Bottom Line
The right cyber investment can shed massive enterprise costs over the long term. It can also improve an organization’s appeal to customers, thereby increasing the opportunity for new and enhanced revenue streams. The scope for this opportunity is also expanding, moving beyond enterprise IT to the full business ecosystem — suppliers, R&D, production, products, services, and more.
Reduce costs. When properly orchestrated, cybersecurity can reduce costs by:
- Minimizing business impacts (for example, operational, financial, regulatory) of cyber risks.
- Lessening the remediation costs of cyber incidents by introducing capability to reduce incident volume and/or quickly contain incident sprawl.
- Uncovering related business capabilities that require cost-minded improvements (for example, crisis management, supply chain management), by conducting cyber-readiness exercises.
Increase revenue. Companies can use cybersecurity to support revenue by:
- Providing a differentiating and marketable trait to gain customers, increase transaction size, and charge premium prices.
- Accruing new revenue sources by adding security capabilities (for example, monitoring, response) into an existing product/service portfolio.
- Using security services for long-term “stickiness” with customers, keeping sales channels open for a range of offerings.