Anthony Quinn, CEO of Acumen Cyber, shares how risk and security professionals can demonstrate the value of cyber security investments, to justify budgets and get continued c-suite support

How do you measure the ROI of nothing?

This sounds like a question for physicists but it’s an issue risk managers and security professionals encounter daily when justifying their cyber budgets.

Tony

When a cyber security program is running effectively, there are no data breaches or ransomware attacks. There are no customer complaints, regulatory fines, lawsuits or insurance claims.

Instead, cyber security runs smoothly in the background, weaved into the fabric of the business, keeping everything safe, without anyone giving it a second thought.

But, for executives and board members, this silence can cause alarm bells.

“When a cyber security program is running effectively, there are no data breaches or ransomware attacks.”

With no evidential return on the business, why is their investment in cyber defences so high?

It doesn’t directly bring in customers, it doesn’t generate sales and it doesn’t impact revenues, but it absorbs thousands every year.

So, what is the point in making such a large investment when the benefits to business are seemingly invisible?

This is a question business leaders ask every day - but it doesn’t demonstrate an acute eye for accounting. It highlights a lack of awareness into cyber crime which must be urgently addressed.

The cost of cyber crime

Money is the universal language of the boardroom, so rather than focussing on budgets spent protecting against threats, let’s think about how much these defences have saved the business.

Cyber crime costs the UK economy £27 billion every year, while half of UK businesses have suffered a cyber attack in the last year.

On the global side this figure jumps significantly, with IBM’s recent Cost of a Data Breach report revealing that the average cost of a data breach today has risen to $4.88 million.

This is a ten percent increase in comparison with 2023 and the highest figure ever reported.

These costs relate to rebuilding data and systems, the loss in productivity caused by outages, paying regulatory fines and for support for customers in the aftermath of attacks.

But, when it comes to ransomware, these are only some of the more tangible costs that can be calculated. There is also the erosion in customer trust, the loss of competitive advantage, the reputational damage, plus the shattering of business continuity.

“Cyber attacks are no longer technical problems that can be remediated with routine security updates.” 

How much would it cost an organisation if they could no longer produce their products? How much would they lose if their customers were forced over to their competitors because they could no longer supply a service? What would happen if they could no longer access their payment system to pay employees?

These are some of the outcomes that organisations frequently face in the aftermath of attacks today.

Cyber attacks are no longer technical problems that can be remediated with routine security updates. Their costs are skyrocketing and their blast radius is no longer siloed to IT assets.

Business continuity is their number one victim, so executives should never ignore this risk and see cyber defences as an unnecessary absorption of costs.

There is also a common misconception that cyber insurance will provide a barrier against financial losses in the wake of attacks, but this is only the case when organisations are taking proactive steps to protect their assets.

No insurer will ever payout if an organisation can’t demonstrate it is working effectively to defend its environment.

Demonstrating the ROI of security

While no news tends to be good news in the security world, this eerie silence can also place boards and executives into a false sense of security that cyber isn’t a threat to their business.

When this happens, leadership teams question investments, and security teams must work hard to justify the costs. But these situations can be avoided entirely when security teams are more transparent and open on cyber.

This means ensuring cyber is regularly featured on risk registers and management information reports so senior leadership teams can understand it fully.

“Cyber security is a safety net around the organisation, which protects its employees, customers, data, operations and success.”

What attacks were prevented? What damage could these have done to the business? How is cyber impacting competitors? What type of threat activity is circulating the online world that could put the organisation at risk?

Without this depth of information, it becomes impossible for business leaders to really understand the outcomes and benefits of cyber spending.

Cyber teams should also spearhead employee training and incident response planning, so executives understand their roles and responsibilities in the wake of attacks and have a clearer picture of how they can impact their organisation across all functions.

Cyber security is a safety net around the organisation, which protects its employees, customers, data, operations and success.

Next steps for risk managers

To demonstrate the ROI of cyber, risk managers should:

  1. Communicate to executives and the c-suite on cyber regularly, providing updates on the attacks that have been prevented and how these could have impacted the organisation operationally and financially.
  2. Ensure executives understand the real impacts of cyber on organisations today and understand the competitive advantage being secure offers.
  3. Ensure cyber features on risk registers and in management information reports.
  4. Nurture a cyber-savvy organisation where all executives and employees understand its importance and the role they play in protecting the organisation.
  5. Keep up to date with threat activity and regulatory compliance requirements and communicate this information to executives, so budgets and defences can be adjusted when necessary.