Cybersecurity must justify its growing costs by evolving from a solely protective function.
It should also become a competitive advantage and contribute directly to the core goals of the organization.
The cybersecurity game is changing. No longer is the scope limited to meeting minimum regulatory compliance or providing limited protection from possible cyber-attacks. The risks go up as the threats continually adapt and launch new attacks. Expectations from customers, boards, and senior executives also grow every year. The result is a need for ever-greater spending.
“Global spending on cybersecurity products and services will exceed $1.75 trillion USD cumulatively for the five-year period from 2021 to 2025, growing 15 percent year-over-year” per Cybersecurity Ventures.
With the investment rising so quickly, cybersecurity can seem like a black hole of unending costs.
The value proposition is often challenging to prove even in the best of times. But with economic downturns comes cost-cutting and budget cuts. CISOs find themselves under extreme pressure to do more with much less. To survive as an effective contributor, Cybersecurity organizations need to adapt and show clear competitive advantages that contribute to the bottom line of the business to justify the commensurate support and board visibility.
Cybersecurity for most organizations began as an investment to either meet regulatory requirements or as a stopgap measure to protect against cyber-attacks. Success was measured by a minimum compliance posture or by operational metrics that showcased project completions, such as implementing a security policy, but not necessarily the losses prevented by the investment.
Quantifying such value is near impossible as it requires measuring something that did not occur. Did that security policy stop a breach from occurring? How do you prove it, if the breach never occurred?
A far easier measure is to showcase what activities were completed: how many patches were deployed, compliance boxes were checked, cybersecurity training classes attended, or network packets blocked.
For senior management, such measures sound like progress until an attack succeeds. Then the weakness of such value arguments becomes apparent. It is not about the vulnerabilities you closed, but rather the exploited ones that caused an impact!
For most cybersecurity organizations, this is the place they sit today. They attempt to maintain best practices and respond to new attacks. As attackers continue to evolve, this means cybersecurity constantly needs more funding for prevention, detection, and resilience to keep pace with new risks. Cybersecurity budgets typically rise more than 9% to 15% year over year on average per IDC analysts.
The relentless increase in spending is problematic for businesses as cybersecurity at this level does not contribute to profits. It is a cost sink rather than a profit center. Providing protection is an overhead. Growing overhead costs, especially at double-digit rates, is simply not sustainable in the long run for most organizations.
There has always been a big problem in determining the Return on Investment (ROI), or more specifically, the Return on Security Investment (ROSI). How does anyone know if throwing more money at a problem is effective and efficient if the results cannot be measured?
You could buy a shiny expensive new security tool and not see any additional losses from attacks. Does that mean the tool prevented the attacks or perhaps no attacks were directed your way in this period and the tool made no appreciable difference? If losses do go down, is it because the attacks went down, or was the investment actually showing value? If eventually an attack is successful, the organization already paid for the new security capabilities and now must also pay for the impacts. Paying twice is not something CFOs like.
Problems are aggravated as soon as the attackers switch tactics, as it may require a new tool or service, with accompanying staffing to manage it. This is why many companies have dozens of different security tools they maintain. Big corporations can have hundreds! The expense can become outrageous very quickly. Doubts in the eyes of management often elevate just as fast.
The cost of security increases over time because attackers continue to innovate and companies change their computing infrastructure. Both situations require security to adapt and expand what they are defending.
An organization that begins integrating the latest version of Windows, must now manage vulnerabilities in legacy operating systems and the latest version.
When organizations move to the cloud, security must protect the remaining servers in the data center while also implementing entirely new controls with the cloud vendor.
A new privacy regulation taking effect probably has provisions for the attestable security of sensitive data. Storing more data, you will need security to scale. The list seems to never end.
Costs rarely ever go down in cybersecurity. It is possible, but there must be a concerted effort. Perhaps legacy systems are completely removed, facilities are shuttered, or security tools are combined. It does not happen as often as people would like and it takes a significant level of incremental investment to make such changes a reality. It is far easier to add to the computing ecosystem than to surgically remove important elements without causing disruption.
As a result, every year CISOs submit their budgets and describe the justification for more money and headcount. It is a tough pill to swallow as the numbers climb. Budget allocations are a zero-sum game, with every department wanting a piece of the available pie. Profit groups have a significant advantage, as they can show their contributions in dollars and cents, and justly demand the lion's share. Support organizations are often positioned for the minimum necessary scraps.
There are macroeconomic issues at play as well. When global, regional, or national economic downturns occur, it places additional pressure on organizations to cut budgets, limit overhead costs, and reduce headcount. Preservation of products and sales is key to keeping revenue flowing in and is often the least impacted. Marketing and other revenue support functions feel more pressure, but the greatest impact often is on non-profit generating overhead groups. Security and privacy are easy first targets and rarely have a compelling argument for how they keep the cash flow rolling in.
Cybersecurity organizations that remain stagnant in their regulatory compliance or protection roles are at a disadvantage over time. Defenses that don’t keep pace with the risks eventually result in costly incidents, which undermine confidence in the security practice. It can become a downward spiral.
To remain effective and appreciated, savvy cybersecurity leaders are transforming their organizations to provide more value and command equitable respect among competing business groups.
In today's digital age, the significance of cybersecurity cannot be overstated. As businesses and individuals become more reliant on technology, the threats posed by cyber attackers are escalating. Consequently, cybersecurity organizations have an opportunity to play a crucial role in tapping into consumers' growing demands. Cybersecurity can help close deals, provide compelling marketing content for sales and brand elevation, open doors for advantageous partnerships, allow entry into new markets, grow market share, raise Average Selling Prices, enhance profit margins, and in some cases generate new revenue streams.
At the most basic level, cybersecurity can provide security assurance controls and oversight to satisfy various regulations and minimum requirements for partner agreements. It is often a check-the-box type of program, with little in the way of actual risk management. The key is to move as far beyond basic protection as possible and position cybersecurity to showcase tangible value.
Some examples of cybersecurity value beyond compliance and prevention of loss from incident impacts:
Company products and services that benefit from better security can be marketed for differentiation and to enhance brand reputation.
Cybersecurity-protected infrastructure that increases availability and shorter downtimes due to attack-related issues.
Take advantage of sales opportunities when competitors with less commitment to security suffer outages due to cyberattacks, but your customers remained protected from impacts.
Cost savings from working with cybersecurity insurers to lower premiums because of a better security posture.
Enabling business expansion to new geographies that have stringent regulations for digital security, privacy, and attestability.
Using security posture and resilience to negotiate lower costs for vendor and partner agreements.
Enhanced marketing messages for customers who value security and privacy.
Competition based upon security, privacy, and trust as part of a non-traditional brand differentiation strategy.
Leveraging add-on security capabilities as part of a Good-Better-Best product differentiation strategy. Ex. moving customers from a freemium to a paid plan.
Offering adjacent and supporting innovative security products and services as part of market expansion
Beyond entry-level compliance and protection to avoid losses, the next logical step is often being an enabler of the business for a baseline competitive advantage story, followed by adding incremental value, and finally, the holy grail for some organizations that can leverage cybersecurity to generate new revenue.
Each tier has a different value story and beneficial impact. CISOs can pursue transformation to attain a more compelling position for budgetary considerations and internal political clout.
The maturity of the cybersecurity organization typically starts at the bottom of the value proposition tiers and works its way upwards. Although in some sectors it is unlikely or not applicable for cybersecurity to bring in revenue, such as government agencies, there are opportunities for most businesses to ascend most of the way up.
The first tier is Compliance – Doing the minimum necessary to meet regulations and contract requirements. The focus is on meeting an attestable requirement and is often greatly detached from the concepts of actually managing cyber risk.
The second tier, which should be closely intertwined with the first, is Avoiding Loss – Preventing or lessening the effects of cyberattacks like data breaches, ransomware, and digital fraud. Risks are better understood and controls are instituted to manage residual risks.
The third tier is Competitive Advantage – This is where emphasis and resources and committed to specifically helping profit centers achieve revenue goals. Efforts are often directed to achieve goals for brand uplift, competitive features parity, market messaging enhancement, operational stability, resilience, and product differentiation.
The fourth tier is Adding Value – Enhancing current products and services with desirable security features, incremental associated benefits, and a better reputation for operational trustworthiness. These efforts are designed to help increase the Average Selling Price (ASP) of offerings, directly contribute to gaining market share, and positively impact profit margins.
The fifth tier is Profit Generator – Exclusive security features can drive new revenue as part of Good-Better-Best strategies, such as moving customers from freemium to paid subscription models or establishing a higher tier that just includes security assurances. Entirely new adjacent security products and services may be developed and brought to market. Revenue from these types of offerings can be directly attributed to security.
Moving up the ladder results in far different conversations about budgets, prioritizations, and potential cutbacks. Being a competitive advantage, adding value, and generating profits is the core language for business attention. It can solidify respect for the security teams, showcase leadership, and contribute to the bottom-line value of the company.
Cybersecurity is a trust builder and innovation sandbox. Those purposely making the shift and beginning to embrace cybersecurity as a competitive advantage, they can also benefit from enhanced business innovation and growth. By integrating security into the core of product design and business operations, organizations can enable the development of new products and services. When customers see that an organization prioritizes security, they are more inclined to engage in critical transactions or those involving sensitive information. Trust is fostered.
This opens up opportunities for new revenue streams and expansion into previously untapped markets. By embedding cybersecurity practices throughout the organization's value chain, from product design to customer support, it becomes a catalyst for business growth and a source of differentiation from competitors.
Beyond compliance and protection from cyberattack-related benefits, cybersecurity transformation can enable the business and contribute to profitability.
Capable leadership is essential to meet this goal. Making the transition is as tough as crossing a chasm or climbing a mountain, but it is being done by visionary leaders right now. These people have looked beyond the risks to also evaluate the opportunities. Trailblazing CISOs are purposefully maneuvering their organizations to contribute value in new and unexpected ways to showcase the potential contributions of cybersecurity in the digital age.
A value transformation is the inevitable future of cybersecurity. It is part of the brutal evolutionary cycle that culls the weak and stagnant while permitting the most adaptable to survive. Those who do not make the transition successfully will be starved of resources, undervalued, and blamed for high costs and ineffectiveness. The loss of morale will ensue and turnover will be high. Without solid foundations, cybersecurity withers and dies, eventually in a spectacular fashion. Consequently, consumer’s trust in the company soon follows.
Cybersecurity must re-envision itself to both protect and contribute a competitive advantage to the overarching business goals. Embracing this transformation is crucial for long-term success in the ever-changing cybersecurity landscape.
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.