During Facebook’s recent earnings call, CEO Mark Zuckerberg informed investors that profitability would be impacted because of significant cybersecurity spending. Is it time for all of us to rethink the value of cybersecurity spend?
Cybersecurity has been a board-level topic for a few years now, especially with all the recent breaches glutting the media. The conversations vary, but the focus for the board has been on whether cybersecurity programs are effective at mitigating breaches. Facebook’s pronouncement elevates the discussion from risk mitigation to financial impact and company profitability.
On some levels, this has been a slow evolution. Many companies say they continue to invest more and more in cybersecurity programs, but very few have raised the discussion to one that publicly links these investments to profitability. This raises the stakes for boards of directors across the industry while also raising a question: should companies be investing more, or have they reached a stage at which it’s important to make investors aware of the potential impact on profitability?
The Case for ROI
I raise for your consideration a second point of view: can ROI be brought into the conversation rather than treating cybersecurity programs purely as a material investment or cost? In my experience, some companies can make such a case.
During one of my tenures as a CISO, my company was looking for ways to meet new customer requirements that would further increase cybersecurity spend in the future. We evaluated two options. The first was simply to agree to these new terms. The second was to negotiate by pointing out that the current cybersecurity program had the proper investments and controls to meet the risks of the clients.
During this analysis, I ultimately envisioned a new way to look at my cybersecurity program. The new requirements being requested by this Fortune 100 company were setting a precedent for the industry my company operated in. If I agreed to these terms, my competitors would need to do the same in the future if they wanted to compete for this client.
I quickly agreed. I then began working with sales and marketing teams to get the word out. My cybersecurity investments got a fresh evaluation. We began to invest in cybersecurity more—not simply as an increased cost, but with the additional considerations of competitive differentiation and building consumer trust.
What has become clear is that cyber programs continue to rise in both cost and importance for many companies. As organizations continue to innovate, go digital, and reach new markets with their products, cybersecurity will be an increasingly essential part of the strategy for reaching consumers in a trustworthy manner.
What’s more, all of this makes it clear that today’s CISOs must embrace the dollars-and-cents conversations with the board. I also believe it’s time that cyber investments include ROI strategies to best position these programs beyond merely being part of a risk-management strategy.