Over the past few years, the security landscape has changed rapidly because of an increase in information on private and public networks and in cybersecurity incidents. While cybersecurity is becoming the number one risk for company boards, companies that meet cybersecurity regulations and standards often fail to relate these efforts as a differentiator and competitive advantage.
Take Apple for instance – since Tim Cook penned an open letter on privacy back in 2014, they have positioned themselves as the most privacy-sensitive big tech company. Their incessant promotion of this strategy and success in differentiating their new operating systems from Android and Windows has helped them become one of the most valuable companies in the world.
Despite Apple’s success, most companies struggle to think strategically about their cybersecurity initiatives. One of the common themes with our clients is insufficient resources in the security space – whether that be people, investment in tools, etc. More than half of companies report they are not investing enough in information security (World Economic Forum, 2012) and less than half of top executives understand the time and resources needed to mitigate risk and minimize cybersecurity exposure (Report: Cybersecurity Challenges, Risks, Trends, and Impacts – Survey Findings, 2016). There is a disconnect between top level executives, company boards, and the people in their organization performing security work.
To change this, a mindset shift must occur away from cybersecurity as a cost of doing business to a business enabler, which is easier said than done. For starters, ROI on security investments is notoriously difficult to provide (Bonenfant, 2020). Additionally, measures like reduced risk posture and fine avoidance from not adhering to regulations are the equivalent to selling insurance which can be hard to quantify and if we’re being honest – no one is ever excited to buy more insurance!
What if there was a better way to look at your company’s cybersecurity profile and articulate its value to the business? Aligning to the business outcomes of the company allows your executives to view these investments as business drivers. Cybersecurity has often been viewed as the brakes to a car moving forward but viewed through this lens, a good cyber program is not only a top of the line set of brakes but adds more horsepower to the engine.
Take one example from an Infinitive customer – a technology risk program increased the speed of their process and frameworks in getting new products to market by aligning with their business partners. As a result, the technology risk program helped the business acquire new companies to build additional customer offerings faster. They are an excellent example of building out top of the line brakes allowing them to go even faster than they would otherwise.
There are other benefits to think about outside of avoidance of fines and penalties that allows you to align your program to the business. Customer experience and retention is a hot topic across every industry right now. Can you confidently say your risk and security profile would be a differentiator for customers in the marketplace similar to what we’re seeing with Apple? What about your organization’s ability to provide services when there is an outage or when things need to be shut down to respond to inevitable threats?
In 2021, we saw service outages at several high-profile brokerages during the GameStop and AMC retail investors craze. Just a few weeks ago if you were a Coinbase customer, you couldn’t access services in your account because of the deluge of users flooding to the app during the crypto sell off.
Resiliency and customer experience ARE business outcomes and are directly related and impacted to cybersecurity. Another customer example –a large media organization determined that to better compete in a crowded news and media space, they need to ensure that should the “unthinkable happen” there was a strategy in place to get up and running. They prioritized a cybersecurity response plan at an executive level to shorten outage periods, expedite recovery process and protect their advertising revenue.
During this project, executives were able to better understand how interconnected cybersecurity is to their business. Questions around communicating to advertising partners in the event something disastrous happens led to thinking around “how do we tout this as a business differentiator in a crowded media landscape?” If you were an advertiser looking to partner with a media company, how quickly a company can get up and running and ensure your ad airs may be a factor in where you take your ad money.
Those questions are the sign of a maturing cybersecurity organization and one closely aligned with the business. Infinitive has helped customers across several verticals look critically at their existing risk and security postures and align them with business outcomes to drive results. Cyber programs should not solely be seen as insurance in case something bad happens. Today, there’s opportunities to leverage them to meaningfully differentiate, and in the upcoming years the companies that best do that will be the ones that survive. For more information, contact us today.