Tens of billions of dollars each year are spent on cybersecurity, yet cybercriminals continue to succeed. Companies constantly experience negative security events. Cybersecurity failures become public relations, customer relations, and financial problems for companies.
The problem is, many see cybersecurity as a burden that’s required for compliance purposes or is second to other concerns.
Cybersecurity is a complicated issue. However, the focus on what cybersecurity can do, can’t do and how it is perceived is narrowly focused on preventing specific events, with little consideration to larger business ramifications. Treating each event independently leads to a situation where the answer to each incident is to respond by installing a new product or to add a new security policy/procedure. Sure, this can triage a threat, but it may not provide business value to the enterprise.
Cost Center or Business Enabler?
For most, the mindset is to treat all cybersecurity endeavors as either a cost center or a cumbersome requirement mandated by regulations. Perceived benefits are to save money cybercriminals might steal, protect an intangible asset such as a trade secret, mitigate negative press and perform damage control associated with a data breach, or prevent a fine levied as the result of non-compliance. More than likely, cybersecurity costs cover all of these potential outcomes. Additionally, dealing with a breach takes resources away from the business as a whole, and can negatively impact business operations.
For many business cases, cybersecurity is sometimes considered ‘dead weight’ and a loss, and organizations try to limit the expense as much as possible. Other times, security is a cost that companies expect to pay, much like their insurance or electricity bill, or their rent. Security costs, however, should be thought of as a positive for an enterprise, in that it can enable a function or service you wouldn’t otherwise be able to offer because of security concerns.
There is an alternative – and often overlooked – view of cybersecurity costs. The greatest benefit of a strong, robust cybersecurity effort is it offers enterprises a competitive advantage.
One Solution, Two Paths
Security can be a competitive advantage because it allows you to be better than your business competitors. If you and your competitors must meet certain security standards (like PCI, HIPAA or GDPR), and if you can do it more efficiently than your competition, your business gains competitive advantage. Additionally, that competitive advantage is further enhanced because a strong cybersecurity program encourages business innovation. You can satisfy customer needs without compromising the overall business or customer and user privacy. Creating trust with your customers can pay dividends. People are more likely to gravitate to businesses who demonstrate they are serious about data security and can protect privacy. Having confidence in your cybersecurity program can allow you to provide better services than your competitors, roll out advanced technologies more quickly and, when managed properly, can reduce overall security costs.
There is another competitive rival; one who doesn’t usually show up in a competitive analysis because this opponent isn’t a direct business competitor. The cybercriminal or attacker isn’t trying to take your customers away, but they do want what you have. Their goal is to steal money, proprietary data or protected information, like credit card numbers. They are competing for these assets, which you want to protect from disclosure just as you protect your proprietary information. They may want to “borrow” some of your resources (for example, secretly use your servers, email resources or storage). The reason attackers are considered competitors is that, often, they are no longer solo hackers working alone, but are business entities motivated by profit. An attacker ecosystem establishes divisions of labor and many elements are run just as a business would be.
This “hackereconomy” has the same goal as all businesses: to maximize profits. The professional, organized cybercriminal wants to spend the minimum amount of resources required to generate the highest possible return. Most attackers target organizations that have less robust security. This is one reason small and medium-sized companies are prime targets. If the amount of effort required to breach a target is too high, attackers will set their sights on other objectives that can generate a greater return. Organizations who have a robust cybersecurity program can make themselves less desirable to attack.
Cybersecurity Is a Business Need
Companies build their own competitive advantage. When cybersecurity is a competitive endeavor, it is possible to make logical decisions, and not just be reactive. In the business realm, companies create a strategy to overcome competition. It is time for enterprises and security professionals to take the same approach to cybersecurity to provide competitive advantage against cybercriminals. Stop looking for the boogeyman, and instead look for a competitor. Cybersecurity leaders must create strategies that will protect the enterprise from most attackers and also allow the organization to successfully accomplish its overall mission.