For this to happen – and for the argument in favor of cyber security investment to stack up at board level – the following must be true:
Investing in security will enable our organization to capture more value from its business model.
Until recently, such attempts to brand security as an enabler have been rather clumsy, focusing on streamlining security or baking it into IT at an early stage of the lifecycle to reduce cost and complexity. The problem is, this is just an insurance policy – it does not provide the capability to withstand the evolving threat ecosystem and the threat actors who operate in it.
In 2018, the underlying fundamentals of business have changed to the point where security is essential to enable growth and success. By looking at the relationship between security and sales, productivity, C-level decision making, IT and marketing what do we know about the clear role that security has to play?
1) Strong security will enable you to win customers and retain customer loyalty
Across several B2B and B2C sectors, from finance to pharma, recruitment to retail, having a trusted and provable security posture is an essential requirement for new customers to do business with you. This has often been posited, but was recently proved in a survey by Vodafone where 90% of businesses said strong cyber security would help their reputation in the market, attract new customers, and improve customer loyalty.
Put simply, better security leads to stronger sales and greater customer retention.
2) A detection and response program will relax restrictive preventative controls, increase productivity, and reduce shadow IT
This is a perennial problem for the InfoSec industry, and particularly for CISOs. Their businesses employ smart people who are capable of rapid innovation, but who are often held back by restrictive checks and balances from the security team. "Sure, you can give that software a trial - but we'll have to audit it first." Or, "collaboration is great idea - but can you wait until we've tested the platform before you go ahead"?
With the vast majority of security budgets being historically allocated to preventative controls, it's no wonder that this has led to a shadow IT culture where smart, innovative employees simply bypass corporate systems and do it themselves, which – of course – actually increases the security risk.
Given the issues with the effectiveness of preventative controls – and that attackers can usually find a way around them – Gartner forecasts a 60% shift in budget from 'prevention' to 'detection and response'. This is a golden opportunity for security departments to actually relax their restrictive posture and support the business in flexibility and innovation, confident that if there is a breach, it will be detected and mitigated before it results in any impact.
3) Strong security will give confidence to the business when expanding into new territories or markets
Arguably this is just a way of spinning security-as-an-insurance policy... but is it?
When firms are looking to capitalize on first-mover advantage, launch a new product or enter a new territory, rapid and confident decision-making from the senior leadership team can make or break such a play. Having a security posture that will enable the firm to withstand new – and possibly more capable – threat-actor interest, moves 'security' from 'weakness and threat' to 'strength and opportunity' during the board-level SWOT analysis, and will enable the firm to de-risk some of its more progressive decisions.
What does this mean in practice? That a business underpinned by a mature security posture will be able to outmaneuver its competition. That’s some insurance policy.
4) Modern security is reliant on vast quantities of data that can optimize the wider business
Security used to be about applying policies, signatures and controls, but effective security – particularly in the world of attack detection – is now reliant on complete visibility of everything that happens on an IT estate in order to detect the unknown unknowns, targeted attacks, and malicious activity using legitimate IT functionality.
In fact, security teams sometimes have a better view of IT than the IT team. This insight can be used for network optimization by tuning the performance of existing assets, but also by detecting the use of shadow IT in a way that central IT cannot. Security can actually give the business an advance view of what its mid-to-long term future IT requirements might look like based on its shadow IT usage, which is normally as a result of innovative staff doing innovative things.
5) A well-handled security breach can actually boost brand equity
It's always assumed that a security breach will result in negative publicity and loss of consumer confidence, followed by customer churn or difficulties in acquiring new business.
But does this always have to be the case? What if a well-handled security breach could actually reflect well on a business? Examples where this has happened are still thin on the ground, but it is worth considering the aftermath of the incident at Cloudflare. This was a business subject to a significant breach that could have resulted in irrevocable damage to the company and its revenue. However, because the breach was handled and communicated to customers and the public with full transparency – along with published mitigation plans and rapid action – instead of being subject to long-term damage, Cloudflare was able to add the values of honesty, adaptability and 'doing difficult things well' to its brand equity.
Security will never be 100% effective, and these examples show that society is starting to accept this fact, even responding positively to a breach if it is handled in the right way.
Does this mean we can view security as a profit center?
Perhaps not quite yet, but it is clear that times have changed. As an industry and as a function, security should start thinking about being a lot more creative in how it communicates its value to the rest of the business. The five points above show that security can generate a genuine positive return by enabling the business to be better at what it does, innovate faster, and even give it the edge in a competitive market.