Cybersecurity Teams Generate Average of $36M in Business Growth

Cybersecurity teams have become a significant contributor to business growth, contributing a median value of $36m per enterprise initiative they are involved in.

Despite this, the Ernst & Young (EY) survey of global security leaders found that cybersecurity budgets have declined by around half as a percentage of annual revenue in the past two years, from 1.1% to 0.6%.

This suggests that many organizations do not yet recognize investing in cybersecurity as a value-creating opportunity.

This is emphasized by the fact that just 13% of CISOs are consulted early when urgent strategic decisions are being made.

Additionally, 58% of respondents said it is difficult to articulate their value beyond risk mitigation.

The researchers urged CISOs to use studies like this to help them better articulate to the board why their role has evolved to be that of a business executive. CISOs should also look to be included earlier in decision-making processes.

How Security Teams Create Business Value

According to the EY study, cybersecurity functions account for 11% to 20% of the value produced by enterprise-wide initiatives they are involved in.

The monetary value varies significantly by organization size, from a median of $11m per project for organizations that generate $1-4.9bn in revenue per annum, up to $154m for companies with $20bn or more in annual revenue.

The researchers identified a subgroup of respondents known as “Secure Creators,” who are involved earlier and more deeply than their peers in their business’s key initiatives.

These individuals play a key role in business growth in a number of ways, including:

• Helping implementing AI and other high-growth technologies securely, giving a competitive advantage in the market
• Positively impacting how external stakeholders perceive their brand, including by avoiding potential losses during a ransomware attack and ensuring secure data transfers
• Improving customer experience, including by enhancing internal communication security for better customer service and faster complaint resolution
• Considering the security risks of moving into new markets at an early stage, helping get ahead of potential issues

Rudrani Djwalapersad, EY Global Cyber Risk and Cyber Resilience Lead, commented: “When CISOs are given a seat at the table early in strategic initiatives, they not only embed security into business planning from the ground up, but they add value by increasing speed of adoption and by building trust with consumers.”

The report also emphasized that the rapid adoption of AI provides an opportunity for CISOs to expand their role to executive level. Currently, just 43% of cybersecurity functions are meaningfully involved in helping other functions adopt AI.

Cybersecurity leaders should focus on simplifying the rollout of AI across their organization by optimizing legacy technology tools and simplifying cybersecurity tools to reduce costs.

This can ensure the quick deployment of new AI tools, such as agentic AI, at scale, offering a competitive advantage to their business.

“By positioning themselves as strategic partners in AI execution, they can earn greater trust and a seat at the table for broader transformation initiatives,” the report noted.

The study surveyed 550 C-suite and cybersecurity leaders across 16 sectors and 19 countries covering the Americas, Asia-Pacific, and Europe, the Middle East, India and Africa (EMEIA).