Cybersecurity Emerges As a Business Growth Driver

When the latest Cost of a Data Breach study came out, it was no surprise that the toll of attacks had hit a new record high. The average cost in lost business and remediation costs had grown to an average of $4.35 million per incident worldwide.[1] 

But perhaps more telling is a statistic from a report published by the IBM Institute for Business Value (IBV) and Oxford Economics in November 2022: two-thirds of business leaders now see cybersecurity as primarily a revenue enabler.[2] Based on a global survey of 2,300 business, technology, and cybersecurity executives, the research also revealed that nine out of ten of those working in the most cyber-mature cyber organizations viewed cybersecurity as such a facilitator of growth.

Organizations that build effective cybersecurity functions view the investment as more than an expense to be managed; they recognize its business value. An overwhelming majority (86%) of respondents to Deloitte’s 2023 Global Future of Cyber Survey said that cyber initiatives had made a significant, positive contribution to at least one key business priority.[3] Many of the most high-performing cyber organizations polled reported positive impacts from their cyber initiatives on brand reputation, customer trust, revenue, operational stability, talent recruitment and retention, and long-term sustainability. “Cyber is evolving into a distinct functional area of the business, transcending its traditional IT roots and becoming an essential part of the framework for delivering business outcomes,” the Deloitte report explained.

That’s good news for security and technology leaders. The recent Mimecast survey, Behind the Screens; The Board’s Evolving Perceptions of Cyber Risk, found most security leaders said they are targeting a budget increase of 10% to 20%, and are confident they can get it. But to make it happen, particularly in these times of economic uncertainty and cautious spending, they need to speak to their corporate stakeholders in their language: business performance.  As one CTO interviewed for the Mimecast study explained, that requires setting aside technical expertise and having to “open up my business brain” to explain the value cybersecurity brings to the enterprise. 

Selling Cybersecurity: Accentuate the Positive

Security professionals are learning to reframe cybersecurity as a value driver that can yield top- and bottom-line growth, rather than merely a cost of doing business. By avoiding a number of aftereffects that ripple through an organization following a breach, cybersecurity can have a positive impact on business results that often can be presented as a concrete number. Some examples include:

Uptime and Ongoing Business Operations

The effect of cyberattacks on uptime is an obvious impact, and one that is increasingly worrying as more companies rely on digital operations. Indeed, 76% of corporations cited security and data breaches as the top cause of server, operating system, application, and network downtime, according to a 2022 survey by Information Technology Intelligent Consulting (ITIC).[4] If the network is unavailable due to a denial of service (DoS) attack or data is encrypted in a ransomware incident, the meter is running. The average cost of an hour of downtime exceeds $300,000 for 91% of enterprises, according to the ITIC survey.[5] One global apparel manufacturer announced that it lost $100 million in sales when a ransomware attack left it unable to fulfill orders during the key back-to-school season.[6]

Logically, then, savvy cybersecurity and IT leaders can make the business case for investments that keep networks, systems, and data online and enable uninterrupted business operations. Six in ten of the highest performing cybersecurity organizations said their cyber initiatives had improved their operational stability, according to the Deloitte survey.[7]

Reduced Operating Costs

The faster a breach is contained and dealt with, the less the financial impact. While the average time to contain a breach is 277 days, those that were halted in less than 200 days cost on average $1.12 million less.[8] Besides the cost of cleaning up after a breach, organizations can find a long tail of extra expenses following an attack. The Cost of a Data Breach report report found 60% of organizations that suffered a breach had to increase the price of their products or services as a result.[9]

Regulators are increasingly willing to levy fines against companies that are judged to have been lax in protecting their data.[10] And, in the case of data breaches that affect the public, class-action lawsuits usually follow; even the American Bar Association has been sued over a breach.[11] Additionally, cyber insurance premiums, already on an upswing, can increase after an incident.[12]

The avoidance of these significant costs can form the basis of a robust financial argument for investing in effective and high-speed defense and remediation tools, preferably automated ones. 

Brand Reputation and Customer Trust
This is less quantifiable in the short term, but can be seen in the long run, as customers and partners steer clear of a company that’s suffered a breach. Mimecast’s Brand Trust survey found around six in ten consumers said they would lose trust in their favorite brand if their information were compromised in a data breach, and more than half (57%) would stop spending on that brand if it suffered a phishing attack. Only poor customer service or an environmental disaster turn off more consumers; even a scandal affecting the company CEO would not have nearly as negative an effect on the organization’s reputation, according to the Cost of a Data Breach report, which calculated customer churn can increase up to 7% after a breach.[13]

On the flip side, more than 60% of high-performing cybersecurity organizations reported that their cyber initiatives had a positive impact on brand reputation (64%), customer trust and brand impact (62%), and digital trust among customers and employees (62%), in the Deloitte survey.[14] There’s a clear case to be made that effective cybersecurity protections not only safeguard a company’s reputation but can boost its standing among customers and partners.

Stock Price

It’s not just the loss of reputation that can sting a company. Cyber incidents can also hurt its position in financial markets. One study found that the stock of public companies took a hit in the months following a data breach.[15] The Deloitte report noted the inverse impact of effective cyber defenses. Nearly half (47%) of organizations with high cybersecurity maturity reported that their cyber initiatives yielded a positive impact on their share prices.[16]

Credit Ratings

Most major credit ratings companies now factor in cybersecurity when evaluating a company’s credit risk, which in turn determines their ability to borrow and issue bonds to fund operations, as well as the cost of carrying that debt. Analysts at major credit ratings firms have downgraded companies and government agencies following cyberattacks due to the financial impact of the incident or the inability of the company to make information available due to resulting outages.[17]

Revenues, Resilience, and Agility

Robust cybersecurity can also have a measurable impact on top-line growth. The IBV report found that mature cybersecurity organizations experienced a 43% higher revenue growth rate over five years than the least mature cybersecurity organizations. Likewise, nearly half (47%) of respondents in organizations with high cybersecurity maturity noted that their cyber investments had a positive impact on revenue growth, in the Deloitte survey.[18] In addition, 59% of the same respondents reported positive impacts on agility, and 57% reported greater resiliency.

Aligning Cyber and Business Strategy 

It’s time to start seeing cybersecurity as a growth factor for organizations, rather than a defensive cost of doing business. While sometimes challenging to quantify, cybersecurity can be presented to decision makers as a business investment with real returns. Security and technology leaders need to clearly communicate the critical role cybersecurity strategy plays in business operations to ensure continuing support. 

As the CISO of a major shoe manufacturer explained, every cybersecurity decision his team makes should align with business strategy, noting that the company is in the shoe business not the security business. To that end, he always asks himself: “Am I investing just for security purposes or is it actually going to add value to the business objectives?”

The Bottom Line 

The connection between cyber initiatives and positive business outcomes is becoming clearer. Making the case for cyber security and risk management as a driver of positive business outcomes can only help organizations grow, both in terms of cybersecurity maturity and overall business performance. Read Mimecast’s Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk to learn about the board of directors’ role in managing cyber risk and how security professionals are educating board members about the impact of cybersecurity on business outcomes.

[1] “Cost of a Data Breach Report 2022,” IBM Security/Ponemon Institute 

[2] “Prosper in the Cyber Economy,” IBM Institute for Business Value report 

[3] “2023 Global Future of Cyber Survey,” Deloitte 

[4] “ITIC’s latest 2022 Global Server Hardware Security survey,” Information Technology Intelligent Consulting

[5] “Average Cost of Downtime Per Industry,” SolarWinds Pingdom 

[6] “Ransomware attack cost Hanesbrands $100 million in sales,” Winston-Salem Journal

[7] “2023 Global Future of Cyber Survey,” Deloitte

[8] “Cost of a Data Breach Report 2022,” IBM Security/Ponemon Institute 

[9] “Cost of a Data Breach Report 2022,” IBM Security/Ponemon Institute 

[10] “Fines for Data Breaches Soar,” Accounting and Business Magazine

[11] “American Bar Association class action claims data breach affected 1.3M members,” Top Class Actions,

[12] “US Cyber Insurers See Favorable Premium Growth, Results in 2023,” Fitch Ratings

[13] Cost of a Data Breach Report 2022, IBM Security/Ponemon Institute 

[14] “2023 Global Future of Cyber Survey,” Deloitte

[15] “How data breaches affect stock market share prices,” Comparitech blog

[16] “2023 Global Future of Cyber Survey,” Deloitte

[17] “Credit-Raters Look More Carefully at How Companies Respond to Cyberattacks,” WSJ.com 

[18] “2023 Global Future of Cyber Survey,” Deloitte