Cybercrime is like water, the criminals find the path of least resistance. The risk is growing, everyone knows it, and everyone knows that cybersecurity diligence is just one of the costs of doing business. However, it’s interesting to watch how the cost of managing risk is becoming more of an investment than an expense.
A company’s customers, its supply chains, its vendors, even its potential merger and acquisition partners, are now calculating the cybersecurity profile of a company before deciding to work with that company. Cybersecurity has evolved to become an elemental business component that grows revenue and opens doors for market expansion.
Cybersecurity has worked its way so deeply into the core of our collective business imperatives that enterprise valuation, investment opportunity, customer acquisition, and other critical goals depend on a company’s ability to demonstrate cyber health and resiliency.
Who’s Managing Risk?
It isn’t only what they are doing with security, who is making the decisions is shifting as well. While it may be common knowledge that CISOs, CEOs, and even boards of directors are getting involved in cyber decisions, the security buyer has also moved laterally in the organization.
Increasingly, business units are getting in the game: product leaders (who own the P&L of the product or service) are making key choices on compliance frameworks, security testing activities, and vendor selections to better enable the success of their products in a security-conscious market. Cloud migration strategies have also changed the mix of today’s security initiatives and compliance activities, affecting the decisions these professionals make.
Demonstrating Cybersecurity Strength and Integrity
Whether a company offers products or services, security is becoming a necessity and, often, a contractual requirement. Where once the time and costs of cybersecurity were considered unfortunate drains on business resources with negative impacts on the bottom line, proof of cyber stature is now a revenue enabler in numerous ways.
New market requirement: We are seeing many cases where markets or nations require proof of cybersecurity rigor before they will consider purchasing a product or solution. For example, the federal government is the largest consumer of cloud services, and any provider wishing to serve this market must comply with the Federal Risk and Management Program (FedRAMP) and/or other frameworks to tap into this massive opportunity.
According to our recent research, 33% more cloud solutions were approved for government use in 2018 than the previous year, demonstrating that providers are embracing the compliance path to opportunity. Hardware manufacturers in some nations may need to prove their products are free of cyber vulnerabilities before entering new national markets by undergoing penetration testing or other security testing processes.
Some companies can open new markets through partnerships with third-party solutions providers—but third-party risk management becomes a needed part of the security strategy. Additionally, international markets are more accessible with proof of compliance with frameworks such as ISO.
Contractual requirement: Customers no longer assume a product or service is secure; many demand proof within their contract terms. Examples include: a large university medical center being required to conduct penetration testing, or they will lose NIH funding; a large telecommunication company being required to comply with NIST to secure a GSA Enterprise Infrastructure Solutions contract; and countless cloud service providers securing government contracts with the provision that they obtain FedRAMP Authorities to Operate or other framework demonstrations.
Investment and M&A requirement: Cybersecurity risk has become intrinsic to a company’s valuation. For investment or M&A activities, evaluating a company’s cybersecurity posture is essential due diligence, as risk can be—and has been—inherited and put deals and their prices at risk. This is a tale that a prominent web services provider and retailer know only too intimately: News stories have recounted cautionary tales of acquisition prices plummeting many millions of dollars after unfortunately timed breach disclosures, or an acquiring company being embarrassed by a breach disclosure of their recently acquired asset.
Secure solutions requirement: Because today’s savvy customer expects that solutions be secure, more companies are building security and compliance alignment into their solutions early, rather than waiting for a customer to demand it at signing.
A prime example can be found in cloud solutions: while significant opportunity exists in the cloud market (Gartner predicts up to a trillion dollars of spend will be directly or indirectly affected by the cloud over the next five years), security is still a top concern. To get ahead of the concern, 80% of our business comprises service providers requesting assessment of their products and/or designs to build cybersecurity into the product, proactively meeting market security demands.
Brand protection requirement: Security incidents and publicly exposed vulnerabilities can damage a brand and hamper future revenue streams. Many organizations are taking significant security measures beyond compliance to defend against security incidents. Examples include: helping a customer ensure a competitor can’t hack their unrevealed fashion line before release; penetration testing automobiles to search for potentially brand-damaging vulnerabilities before an incident can occur; conducting comprehensive security testing of a medical device manufacturer’s physical location to ensure physical security gaps won’t lead to malware implants that can affect the hospital user base.
As a security professional, it’s refreshing to see something so critical finally being embraced as a core business function that drives business forward. As we enter a new decade, cybersecurity has emerged as a top-line, revenue-generating component enabling expansion and growth into new markets.
Organizations are encouraged to make the best use of their security stature and promote their investments to help gain competitive advantage – and to ultimately make positive impacts on their bottom lines.