Security has historically been seen as a cost center, which has led to it being given as little money as possible. Many CISOs, CSOs, and CROs fed into that image by primarily talking in terms of disaster avoidance, such as data breaches hurting the enterprise and ransomware potentially shutting it down.
But what if security presented itself instead as a way to boost revenue and increase market share? That could easily shift those financial discussions into something much more comfortable.
For example, Apple touted its investments into the secure enclave to claim that it offers users better privacy. Specifically, the company argued that it couldn’t reveal information to federal authorities because the enclave was just that secure. Apple turned that into a powerful competitive argument against rival Google, creator of Android, which makes much of its revenue by monetizing users’ data.
In another scenario, bank regulations require financial institutions to reimburse customers who are victimized by fraudsters, but they carve out an exception for wire fraud. Say one bank realizes that covering all fraud — even though it is not required to do so — could be a powerful differentiator that would boost its market share by supporting customers better than competitors do. How can the bank afford to do this? It increases security investments to the point where the projected fraud losses are materially less than the projected increase in revenue.
Or look at the case of a cloud provider, which could differentiate itself from most major cloud providers by improving uptime performance by focusing on reducing DDoS attack damage. Even further afield, an agriculture company that invested in better security could improve trust and bring in more partners, thus expanding into lucrative new markets. A wide range of companies can make the case for improving overall business performance by improving cybersecurity.
Case Study: Brokering Cyber Insurance
Another example of leveraging security to explicitly boost revenue comes from Marsh McLennan, a $10 billion business that bills itself as the world’s largest insurance broker.
One of the biggest recent trends in cybersecurity insurance are insurance companies refusing to insure many enterprises because the enterprise does not have security that meets the strict requirements of that insurer. Although this does limit their potential losses, it also immediately threatens insurance companies’ revenue because of the loss of premium income.
To maximize the number of companies that it can deliver to insurance companies, and thereby maintain its own revenue, Marsh evaluates companies. When a company’s security profile isn’t sufficient, Marsh taps its security company partners to bring that potential client’s security profile up to where it qualifies for a policy with the insurance company. That’s good for the company because it is able to get insurance and it enjoys better security; it’s good for the insurance company because it gets the premium revenue; and it’s good for Marsh, which makes a proper and successful referral.
“We look at the client relationship as a holistic lifecycle. Placing insurance is our bread and butter,” says Katherine Keefe, leader of cyber incident management at Marsh. “Our clients need support in readiness. How to prepare, how to develop an incident response plan, tabletop exercises. We provide them with tools and solutions and support cyber preparation.”
Shifting From Defense to Growth
Stephen Boyce, executive global information security leader at Magnet Forensic, argues that when enterprise security executives focus on what prospects care about, and therefore help with revenue and market share, it can be the single most effective way to improve the security posture.
“What it does is create a shift in the relationship dynamic between the CISO and the CFO, and potentially the rest of the C-level team,” Boyce says.
This does indeed have the potential to change the relationship dynamic, but SailPoint CISO Rex Booth stresses that such a change can only happen if the enterprise is ready for it. And, he adds, many are not yet.
“For way too long, security has been [focused] on conflict, where it should be an enabling function,” Booth says. “And that does require a shift in the relationship dynamic of the CISO, a role that has traditionally been seen as purely risk reduction.
“This needs to happen at the proportion of companies that are mature enough to take their CISO and dual-hat them into not only a security role, but a revenue-generating role. Some are migrating in this direction, but most organizations are not there yet.”
Proving Value by Improving the Business
Still, Booth points out that there are pros and cons at play here. The argument against such a change — or at least slowing it way down — is that security departments today are severely underbudgeted, which means they are understaffed and find it difficult to properly defend the enterprise. That suggests that attempts to support sales will further dilute their attention and make a bad situation potentially worse.
The counter to that is that underbudgeted security operations are likely to always be underbudgeted. By making periodic moves to help sales — maybe just once or twice a year — it could illustrate to the CFO, the COO, the CEO, and the board the potential for using security to help with the bottom line. And, in theory, that could meaningfully contribute to security being budgeted a little better, which itself could be a huge help in defending the enterprise.
That is even more critical given that the core efforts of security are often difficult to prove from a value ROI perspective.
“If I do everything right from a security perspective, there’s no way for me to tell the board ‘I saved you $2M because of those ransomware events that never happened,'” Booth says.
The goal should go beyond getting prospects to convert to customers and increasing market share and needs to include customer retention, argues Bob Hansmann, the cyber risk and security product marketing leader for Infoblox.
“The enterprise needs to make sure that the services are not just up and available, but that they run smoothly,” Hansmann says. “And security is the unit that is best positioned — in terms of experience, talent, and tools — to make that happen.”
