Getting the Board on Board: Explaining Cybersecurity ROI

To effectively communicate the importance and ROI of cybersecurity initiatives, it is necessary to understand and speak the Board’s language. This language centers on business growth, risk management, and strategic investment.

Here are some key points to consider:

A perennial concern for Board members is the ROI of any proposed investment. They demand clear insights into the concrete and abstract advantages the company will gain in relation to its investments. This is a reasonable expectation. The dilemma raised with cybersecurity is that the benefits often revolve around averting potential pitfalls rather than directly enhancing profits.

Cybersecurity is often seen as a cost center rather than an investment, but this perspective can be misleading. An insufficient cybersecurity strategy can lead to hidden costs that far outweigh the initial investment in robust security measures. Below are some examples of potential hidden costs:

The most obvious cost comes from data breaches. Depending on the sensitivity of compromised information, whether from a profit and loss spreadsheet or a complex business database, a company can incur costly extortion demands from cyber criminals, financial compensation for affected customers, and regulatory fines.

For instance, T-Mobile’s 2021 breach compromised over 53 million customers’ data, leading to around $350 million in fines and legal costs. Beyond this, the intangible loss of customer trust and reputation can have long-lasting financial impacts on the company.

A security breach involving sensitive data can have serious consequences for a company, damaging its standing in the public eye and affecting customer confidence and loyalty. Although it is challenging to quantify the precise repercussions, incidents like these can have a lasting effect on a company’s economic health. Rebuilding a damaged reputation is a lengthy and resource-intensive process, further escalating the overall expenses.

Recently, LastPass, a well-known password management company, faced a serious setback when it experienced a security breach. This incident led to the exposure of customer email addresses and password hashes. Given the nature of their business, this breach significantly impacted their reputation for reliability and security.

Cyber attacks can disrupt business operations, leading to downtime and loss of productivity. The cost of these disruptions can escalate quickly, especially for businesses that heavily rely on digital operations.

For instance, businesses offering online services like e-commerce platforms or cloud-based applications can experience significant repercussions if there’s a breach of their clients’ data. Since these services typically operate on a subscription model and cater to a wide customer base, any operational disruptions can result in numerous missed revenue opportunities.

Companies may face lawsuits from affected customers or partners in a data breach. These legal proceedings can be costly in terms of monetary expenses and the time and resources required to manage them.

Frequently, lawsuits stemming from data breaches escalate into class-action cases, potentially resulting in substantial legal settlements and fines. These costs are an added burden following a cyber attack, further damaging a company’s reputation and standing if held responsible for the breach. The widespread attention these lawsuits attract can also erode customer confidence.

Following a significant cyber incident, businesses often see a rise in insurance premiums. This is another hidden cost that can add up over time.

When combined with other expenses, such as legal fees and lost business opportunities, increased insurance premiums can significantly impact a company’s bottom line.

Determining the ROI for cybersecurity can be complex due to its many intangible aspects.

In contrast to other investments, cybersecurity doesn’t typically yield direct revenue. Instead, it is a protective shield, protecting revenue and safeguarding the company’s assets. As such, the ROI for cybersecurity is often computed based on the cost savings from potential threats that were averted due to the security measures in place.

Here’s a fundamental approach to assessing the ROI on cybersecurity:

• Identify Possible Losses: Identify what your organization will lose if targeted by a cyberattack. This includes direct costs such as system recovery and legal expenses and indirect consequences like brand damage and loss of customer trust.
• Estimate the Likelihood of a Cyberattack: While precise predictions are difficult, historical data and industry trends can provide insights into the likelihood of your business being targeted by a cyberattack.
• Calculate Potential Cost Savings: Multiply the evaluated risks of a cyberattack by its estimated likelihood to estimate the potential savings from specific cybersecurity measures.
• Deduct the Cost of Cybersecurity Measures: Lastly, subtract the cost of your cybersecurity efforts from the estimated savings to find the ROI.

Effectively communicating with your Board is essential when it comes to cybersecurity investments. By using language that resonates with Board members and presenting your ROI calculation clearly yet impactfully, you can ensure that your cybersecurity investments receive the attention and funding they rightfully deserve.

About the author: