If you are struggling in getting finances allocated for cybersecurity in your organization, then this article is for you. There is a common misconception that cybersecurity is only a cost and not a business enablement tool, but that's not the reality.
“We don’t have the budget for this.”
“Show me how this adds value to my business.”
“Our C-Suite will never approve this purchase.”
These are all phrases that cybersecurity professionals hear on a regular basis. However, it is statements such as these that place organizations into precarious positions when it comes to cyber defense. If you are not a cybersecurity-focused company, then discovering the immediate return on investment can be a bit tricky.
However, we can help to break down these barriers and relay how cybersecurity can be a contributor for positive financial growth for your organization. Here are the five key indicators for cybersecurity ROI:
1. Your Brand:
Your brand means everything. Your reputation, company image, and future depend on its strength. Consumers are growing smarter every day and using the power of the internet to investigate the companies that they purchase from, banks that they invest with, hotels that they stay at, and anything in between. If and when your organization discloses a cyber breach, your brand suffers greatly. Revenues can drop, customer loyalty can take a hit, and you may be faced with serious fines in some cases. Be protective and vigilant about the security of your brand. Cyber-attacks come in waves across specific industries and circles of business. Let’s take this case study for an example of how cybersecurity boosted the brand, image, and revenue for an investment firm.
The firm was hit with an attempted phishing attack. They had adequate protections, multifactor authentication, security awareness training, security consulting services through an MSSP, and had implemented basic foundational cyber-hygiene. They observed the attack, defended, thwarted, and overcame the attack. However, the investment firm was one of several that was targeted by this specific campaign. Within a matter of 2 weeks, 8 investment firms had been hit with the same targeted attack. All of them had been breached; except for one.
The company’s cyber-resiliency was enough to keep them out of legal and regulatory hot water and they preserved their company image. No notices sent to customers, no clean up from cybersecurity incident responders, no forensics, no awkward phone calls to business partners explaining the breach.
The damage to the other company’s images and brands had pushed customers to the resilient insurance company and an influx of new clients ensued shortly after the ordeal. Immediate return from a cybersecurity incident that tarnished the brands of several competitors.
2. Regulatory Matters
Regulations provide more than a few reasons to stay compliant and secure in order to see immediate ROI.
The Payment Card Industry Data Security Standard (PCI-DSS) enforces a set of cybersecurity best practices that are designed to ensure the confidentiality of cardholder data. If and when a merchant does not comply with such regulations, they are required to pay higher fees on credit card transactions or in some cases, are forced to not accept payment cards at all! If you want lower fees, stay compliant. If you want to continue accepting payment cards stay compliant and, more importantly, stay secure.
The Defense Federal Acquisition Regulation Supplement (DFARS). Simply put; if your organization wishes to conduct business with the defense industry, DFARS compliance is your best friend and worst enemy. This goes for manufacturers, suppliers, and contractors doing business with the U.S. military or Department of Defense, whether directly or through a prime/sub-contractor. Staying compliant means that you can continue providing products or services to these partners. Non-compliance means that your contracts can be cancelled.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any entity that collects medical information is likely familiar with this regulation. Not adhering to this standard or having a violation can mean fines from $100 to $50,000 per record or penalties up to $1.5 million per year. Does this mean that you can justify spending $1.49 million dollars on cybersecurity today? Not exactly but you can make a solid business case for ensuring that you remain HIPAA compliant and secure.
There are dozens of other regulations that—when implemented effectively—can save your organization from staggering fines, fees, and the grief of public notification in the event of a data breach. Additionally, relaying cybersecurity compliance to partners and consumers can increase the confidence that they have in your organization.
What is your uptime worth? This is an important one to figure out. That e-commerce site that your company runs could be responsible for thousands of dollars every minute or hour that it remains running. Having systems down means money lost for most organizations, even if you're not in retail. Your manufacturing lines, medical devices, websites, telephony systems, cloud infrastructure, and more all produce value in some form or another.
Determine what negative numerical figures could arise if these critical systems went down. If you are having trouble with this one, ask yourself what would happen if your business was hit with a ransomware attack and every computer suddenly became a paperweight. Could your business still function? Nearly every business depends on their information technology environment in some way that is paramount for business operations. Downtime costs money and implementing a cybersecurity program can help to mitigate the risks and subsequently add to your margins.
On part two of this post, we'll share the final two factors in measuring the ROI of your cybersecurity investments. If done correctly, investing in your organization's cybersecurity posture is much more than a line item on your budget—it can build trust, improve public perception, and ensure your business remains profitable.