By Justin Haney, North America Cybersecurity Lead, Avanade
We all know cybersecurity protects data and assets and provides risk mitigation, but what other benefits does a solid cybersecurity infrastructure deliver? In addition to driving efficient essential business operations, companies should also look at cybersecurity as a vital capability to maintain a sustainable competitive advantage. According to a report by Accenture, those organizations that closely align their cybersecurity programs to business objectives are 18% more likely to increase their ability to drive revenue growth, increase market share and improve customer satisfaction, trust and employee productivity. The most cyber-resilient businesses, products, and services ensure protection while enhancing workforce and customer experience, both of which are factors that drive an increase in business metrics.
Let’s take a closer look at what a strong posture can do:
- Establish and maintain trust and credibility. The Accenture study showed that companies are tuning in to this critical factor: limiting the damage of a breach to its brand and customer satisfaction scores was identified by 50% of respondents as the most important consideration following a breach. But they may not be doing enough to stay ahead of breaches in the first place. Certifications and website verifications are good but merely foundational; they’re narrow in scope and don’t go as deep as a carefully curated selection of specialized cybersecurity solutions and an effective secure architecture. Demonstrate that you’re securing the lifecycle of the product or service you’re delivering, especially in industries with longer supply/value chains. That will establish your commitment to hold and protect customer data, to view their key business values as your own and to safeguard their business continuity.
- Improve bottom line by protecting valuable data. There has always been a financial risk to data breaches or lack of compliance, but with software now running the world, the risk has never been higher. Compounding that is the fact that experimentation with generative AI is rapidly increasing, and bad actors have the same access to advanced technologies as we do (usually with more time on their hands to grow their knowledge and do harm). For every industry, the more that cybersecurity measures are viewed as a business enabler, the better, and it must be a key component of pushing the innovation envelope in the name of growth objectives. On average, companies with a more mature cybersecurity posture report 26% lower cost of breaches and cybersecurity incidents in the past 12 months than laggards, which is more than a quarter of all costs that could be allocated across the enterprise to optimize operations, fuel growth and improve resilience.
- Support ESG agenda. According to J.P. Morgan, “While cybersecurity has mainly been viewed as a technology issue, it is now also regarded as a key environmental, social and governance (ESG) concern, giving insight into cyber behaviors and risks which form a critical part of the bigger ESG picture.” Depending on the industry, cybersecurity can be a key component in across all three ESG pillars, and having a sustainable business means protecting the company, those who are a part of it, and its effect on community. In short, socially conscious investors want to do business with likeminded companies. A robust cybersecurity program supports the kind of information sharing, collaboration and innovation that signals to them a mature ESG program. Companies will need to measure cybersecurity as part of their ESG agenda to support more positive investor relations.
- Move beyond compliance to resiliency. Compliance is a great measure of potential gaps based on best practices in any given industry, but it can never fully account for business impact and your ability to deliver on organizational outcomes. Cybersecurity should no longer be confined to the realm of IT; it needs to be understood in the context of its impact on legal, finance, operations, and other major functions driving this business. Moving to resilience will help companies understand their capacity to identify, protect, detect, respond, and recover from cyber incidents as not every threat can be prevented, nor can every risk be completely mitigated. Companies must include cybersecurity as an integral part of the overall risk equation, usually as a percentage of revenue to protect. (And I typically see greater ROI by mitigating risk rather than transferring the risk by purchasing cyber insurance.)
Too often I’ve seen security discussions driven down to just technical aspects (firewalls, multi-factor ID, password strength) instead of being viewed as the digital stewardship conversations that they must be. Indeed, only 35% of the Accenture study respondents consider cybersecurity risk “to a great extent” when evaluating overall enterprise risk; this highlights that there is still some way to go to make cybersecurity a proactive, strategic necessity within the business.
Yet, I’m encouraged to see CISOs (gradually) becoming part of the legal or finance teams, or even the Board or reporting to the CEO. It feels like a new era of shaping the right internal perspective, which is that security should be embedded by design into a company’s operations and culture just as an automobile manufacturer considers the brakes, airbags, cameras and other safety features in a car. Companies who take this perspective not only protect their and their customers’ data, but they also create a culture of trust that fosters stronger customer relationships and increased loyalty, ultimately driving positive financial performance and overall business performance.
