It comes as a no surprise to any security professional that the field of information security has a tough time reaching the board room of many companies, being top of mind of leadership and having the financial support it needs to succeed in it’s goals and support company objectives. But why? I covered a few aspects in my previous article but let’s recap:

  1. Companies refuse to implement cybersecurity due to a fatally wrong perception that it is a cost center with little to no benefits to the organizations business operations
  2. Companies implement cybersecurity to comply with minimum perceived level of requirements imposed by external parties, usually corporate clients, with no intention of actually practicing good cybersecurity

But what is the root cause of such behavior? Simple. Lack of proper education and awareness of top management on cybersecurity risks and benefits of implementing AND maintaining good cybersecurity practice.

How do we bring cybersecurity top of mind of leadership?

The perfect formula I’ve seen work in practice is a combination proper education and awareness, expectation management of interested parties and finally using the fruits of the security management program for driving company revenue. Education about company cybersecurity risks that are quantified and clear-as-day bring the leaderships attention to your program and get the support you need to start tackling risk mitigation. Expectations from interested parties can be and usually are very high, such as expectations from users of digital services in data privacy and protection, transparency and availability, or expectations of big corporate prospects and clients in getting certified for ISO 27001 or obtaining a SOC 2 report. These external expectations can drive further your success in getting leadership support for the program, however these are short-lived solutions and only one part of the puzzle, the real catch is getting the leaderships longterm commitment to the security program and their ‘due to care’. This is done through planning and communicating positive impact of your security program and how it can drive company revenue. Contrary to popular beliefs, If positioned correctly, there is a tremendous revenue opportunity in cybersecurity.

How cybersecurity drives revenue?

A strong cybersecurity posture will drive revenue higher, period. Let’s talk benefits:

Ensuring your business is secure proves you care. It demonstrates you are trustworthy, and when customers are at a dilemma they will choose a company that knows how to protect their data handling from cyber breaches. According to the research, consumers still do not trust large, global brands to secure their data. In fact, only 21% of consumers trust established global brands to keep their personal information secure. This lack of trust could be why nearly one third (31%) of consumers actively monitor the news for any potential breaches involving their information.

Strong security program will distinguish and differentiate your company, brand, product or service in your marketplace and in turn increase your market share. The best way to demonstrate this strength is to regularly and transparently communicate on your security practices, dedicate a Security public page on your website and show-off any security certificates or attestations you want to publicly share.

When communicated properly, you will be able to legitimise higher prices and some will even find new revenue streams. It is a common practice to offer additional security features to your products at a higher cost or as part of a pricier tier, but be careful to not overdo it.

Implementing and maintaining a good security program and marketing it to your customers will position your company, in your community and industry, as one that cares. You will benefit from an increase in customer loyalty and win brand champions as well as big deals. Big brands have work to do if they want to earn consumer and partner trust. Serving and protecting your customer will ensure the long-term reputation of your brand and in turn increase its value.

If your system becomes infected by ransomware or other malware you might be forced to close and in turn experience the heavy cost of a cyberbreach. A strong cybersecurity posture will push operational efficiencies higher and reduce downtime and remediation costs. Program implementation for information security at the same time drastically improves resilience of IT infrastructure not just on cyber threats but also to threats to business continuity caused by other factors and shortens the recovery time between when the breach occurred and when you are fully operational.

Cybersecurity solutions and aggressive, persistent training will ensure your employees are not at risk from malware or phishing attacks. Prevention is cheaper than losses and while some would argue otherwise, a study conducted by the Ponemon Institute states “the average total cost of a phishing attack is $832,500 and of that 82 percent is spent on detection, containment, recovery and remediation. Respondents estimate 18 percent is spent on prevention. Thus, if the attack is prevented the total cost saved would be $682,650 (82 percent of $832,500).”

Viruses slow down computers, at times making work practically impossible. Security programs eliminate this outcome and maximise your business’s output. Good security program allows employees to work securely from any location, whether they are in the office, at home, travelling or on vacation on company or personally owned devices, that further increases productivity as heavily tested and proven during the pandemic work from home period. Additionally, good security programs directly contribute to higher quality of your software products by introducing secure coding practices and vulnerability management, ensuring few to none shipped vulnerabilities to production.

Security programs directly contribute to compliance with government and industry regulations like HIPAA, ISO 27001, GDPR, BSI etc. Communicating publicly your compliance milestones go a long way in contributing to your company reputation, trust and brand recognition.

All the above will contribute to a more valuable company, higher chances of winning bigger deals and earning customer trust and their business.

What it takes to get there?

Start by caring and add time, talent, treasure, and technology to truly capitalize on this opportunity. Caring is what drives the boat, it speaks to a company’s commitment to its clients and its desire to really delight the customer. This, coupled with security best practices including a layered security system, will differentiate your company from your competitors, enhancing your market position and adding tremendous value to your business. From this day forward you can leverage this catastrophe in your marketplace by stepping up your cybersecurity game. After all, your customers crave security and peace of mind like the rest of us. This is your opportunity to give them what they want before your competitors do.

I keep mentioning ‘good security program’, what makes a good one?

This is not a deadline project. Like any culture, it requires effort and dedication to grow, and it requires human touch and care.

Hiring information security leaders like CISO absolutely does not eliminate the duty of everyone else employee to practice good cyber security hygiene, follow company policy and follow the latest threats

Let’s repeat — culture is built around leaders. Without the commitment of management and care to build this culture, cyber security is blocked

Security awareness training is another great way to further promote and maintain a cyber culture security in the organization as well as frequent communication

As you grow, it’s a good idea to consider the best approach to scaling your cyber security. Not only in terms of technology, but also with people. Follow proven best practices and frameworks like ISO 27001.

If you don’t know where to start, UN1QUELY team can get you started on the right track.

And what happens if I don’t care?

If you like to focus on the negative, we can do that too. A weak cybersecurity posture that leads to a breach could at best be harmful and at worst lethal in the following ways.

  • Brand value and reputation — The long-term reputation of your brand is at stake. As Warren Buffett says, “It takes 20 years to build a reputation and five minutes to ruin it.”
  • Customer trust — Customers want you to protect their privacy. Breaches often involve customer payment and other confidential information.
  • Loss of customers — A breach can create customer turnover of 3.4%. Customers are becoming less accepting of security failures, according to Chief Security Office Online (CSO).
  • Loss of revenue — A loss of customers means loss of revenue. Do the math. Model a 10, 20 and 30 percent loss in revenue. Now do a return on investment (ROI) calculation on the cost of a strong cybersecurity posture.
  • Prospects — Potential leads will be hesitant to trust a business with a history of poor data security.
  • Intellectual property — Losing your secret sauce, client database, etc. could negatively impact the competitiveness of your business especially if it falls into the hands of your arch rival.
  • Litigation — You could be subject to litigation by your former client, a class action suit by a group of clients, and even a derivative action against the company’s officers and board of directors.
  • Fines — You could be subject to fines under GDPR and other regulatory regimes.
  • Denial of insurance claim — Check your fine print. More than likely your errors and omissions and cyber policies will not cover the cost of your breach if you did not do “cybersecurity right.”
  • Company value — Virtually all the above will contribute to a reduction in the value of your company.

According to Malcom Gladwell’s book “The Tipping Point,” the tipping point is “that magic moment when an idea, trend, or social behavior crosses a threshold, tips, and spreads like wildfire.” I believe we have reached a tipping point because trust issues have spread like wildfire and we are crossing the threshold into a new world.

The choice is yours. You can be like everyone else and continue to view cybersecurity as a cost center. Or you can be first to market by seizing the opportunity with both hands and start to emphasize your expertise. The result will be a leadership position in the market. You will succeed by making data security and privacy your new competitive advantage. You will build a new type of customer relationship — one that is win-win for you and your customers. At UN1QUELY we have witnessed this first hand with all of our customers. Let us help your company make the same leap.

Sources:
1. https://www.bizjournals.com/memphis/news/2020/05/20/strong-cybersecurity-can-be-a-revenue-generator.html
2. https://greycastlesecurity.com/blog/turning-your-cybersecurity-program-into-a-revenue-generator/
3. https://cybertheory.io/cybersecurity-5-key-revenue-drivers-for-2020/

About the author and UN1QUELY

What UN1QUELY does is professionally convince your top management to take cybersecurity seriously before it is too late, and teach you how to do it right, long-term, and without burning a hole in your budget.

We do this through three distinct services that cover the entire security program’s needs. A 360 approach, if you will.

We can implement an entire Information Security Management System like ISO 27001 from scratch, get you ready for the certification and teach you how to maintain it on your own. We also implement NIST, SOC2, HIPAA, GDPR, and PCI-DSS requirements if your business is in need.

We can deploy an entire cybersecurity ops team to be your outsourced security engineering department, implement security systems, harden your cloud infrastructure, train your developers for secure coding and SSLDC practices, and drill your entire staff to increase security awareness. And more!

We like to hack things (with consent). We offer a full range of penetration testing services to stress test your SaaS products, platforms, and infrastructure for security vulnerabilities. We go way beyond the industry standard because we love what we do.

If any of these sounds like something you or someone you know might need, you now know who to call 🤙🏽