Cyber Security ROI: It may happen sooner than you think

By Seth Jaffe.

You’ve heard it before. Companies are slow to invest in cyber security because they see few returns.[1]  But that is likely to change, and it may occur sooner than we expected.

Let’s first set the context. An executive recently made the comment to me that “cyber security is just another cost of doing business in the modern environment.” And to many institutions, that’s exactly how they see it. A decade or so ago, they did not have to worry about cyber theft, ransomware, or nation state attacks. But now, boards of directors list cyber security as the risk most likely to keep them awake at night. Moreover, even taking the cost out of it, companies are finding it difficult to secure experienced information security personnel.

So where does that leave us? Stuck in an ever-increasing cost overhead? Not likely. Consumers are awakening to the importance of data protection and privacy matters, and they are starting to demand safeguards. That presents quite a marketing opportunity for those at the forefront of the cyber curve. Now is the time to start cashing in.

The trend is beginning among those industries hit the hardest, like financial services. Bank of America proudly displays its Javelin award for Best Overall Identity Safety in Banking. JPMorgan Chase’s security center aims to demonstrate its cyber chops. Granted, neither leads with cyber security as the cornerstone of a marketing campaign…yet. (Then again, it took car companies decades to put cup holders in cars.[2]) Companies will soon realize that security is a market differentiator.

And that’s the take away. Consumers want their stuff protected, and they are willing to further that narrative with their wallets. But don’t take my word for it. Cyber security scorecards and certifications are popping up all over the place. FICO, the entity responsible for your credit score, offers a security rating service. Both the Pentagon and the EU utilize cyber scorecards in making contract decisions.

And don’t forget that Javelin award. The writing is on the wall. Consumers are paying attention to cyber. Those with something to say on information security will have an edge. But don’t forget to involve your legal counsel in any marketing campaign. Blindly promising security of your customers’ personally identifiable information is likely to land you in hot water in the face of an incident.

We are entering a new phase of cyber security, where implementation of well-designed programs by experienced information security professionals will provide a direct return on investment. This is something the board of directors can sink its teeth into, and maybe free up some budget for your information security program.

[1] Exceptions include entities under a consent decree from a regulatory agency, those trying to maintain a certification requiring security controls, and companies vying for a government contract.

[2] In the 80’s, they were flying off the shelves at Autozone. Seems car manufacturers are equally as slow in provisioning cell phone holders.

Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.

Comments

Leave a Comment