Expense and investment: Two sides of the cybersecurity coin
James Thorpe
Share this content
In 2023 alone, cyber-crime is said to have cost UK firms over £30.5 billion, writes Ilia Sotnikov, Security Strategist, Netwrix.
Because the stakes are so high, security architecture must be an integral part of any financial risk mitigation strategy.
Indeed, more and more executives are starting to treat the costs associated with cybersecurity as an investment rather than an expense.
This article discusses how cybersecurity expenditure delivers a return on investment (ROI) and becomes a business enabler for the organisation.
Article Chapters
ToggleCybersecurity ROI foundations
For an expenditure to be labelled an investment, it must deliver a substantial return.
In the case of cybersecurity expenditures, organisations need to consider the following for ROI:
- Saving money by limiting ongoing costs
- Enabling adherence to internal policies, contractual obligations and industry and government regulations
- Limiting business risk by thwarting cyber-attacks and limiting their impact
- Enabling a competitive advantage by ensuring stable operations and the ability to pursue new business opportunities
ROI through reduced cyber insurance costs
Many organisations today choose to transfer the risk of financial loss from cyber-attacks to an insurance provider via cyber insurance.
Indeed, a survey by Netwrix revealed that 59% of organisations are either already insured or plan to purchase a policy within the next 12 months.
Improving cybersecurity is often necessary to reducing the cost of cyber insurance — or being eligible for a policy at all.
Indeed, half of organisations with cyber insurance reported that they had implemented additional security measures to qualify for the policy or reduce its cost.
In fact, we have seen instances in which a company invested more than $1m in a privileged access management (PAM) solution because it reduced their premium by more than that amount — delivering a clear ROI and making the investment nature of a cybersecurity tool quite obvious.
ROI through improved productivity and reduced IT workload
Many cybersecurity solutions facilitate business operations while protecting the organisation.
For example, implementing a password management solution streamlines user access to resources by automatically entering a user’s credentials whenever they need to log on.
Plus, by securely storing user passwords, these tools can dramatically reduce the volume of helpdesk tickets.
Adopting an identity and access management (IAM) solution also delivers business benefits.
In particular, it can quickly and accurately provision new users with access the systems, data and applications they need.
As a result, new employees can be productive from their very first day, with far less effort on the part of the IT team.
How to position cybersecurity as an investment
Business leaders will be more inclined to embrace a new cybersecurity tool if they perceive it as an investment.
A CISO, CTO, IT director or other person fighting for a cybersecurity budget might find the following strategies helpful:
- Align the IT security risk management plan with the organisation’s overall business risk management program
- Provide a clear and actionable plan for reducing IT risks using the requested budget
- Establish connections with other executive team members and business unit leaders to ensure that security is part of the high level discussions for every new initiative
- Create the cybersecurity investment case at the beginning of a project, as it will be much harder to claim credit for benefits afterward
- Start with simple discussions and then move on to more complex ROI discussions
Make the change today
As technology becomes ubiquitous in all aspects of society, organisations are speeding up their digital transformations to maximise agility, efficiency and productivity as well as enable better customer experiences and data-driven decision-making.
Security is crucial in this digital transformation and should be credited for its returns.
Newer organisations tend to be quite receptive to the idea of cybersecurity as an investment because their leaders are used to existing in the modern high-threat environment.
But organisations with a longer history, regardless of sector, often need more time to digest the idea of being at high cyber-risk.
Rome was not built in a day, but it did get built. The right time to begin this transition is now.