The economy of security
By Wayne Olsen, Managing Executive Cybersecurity at BCX.
Why should a business bother with spending money on security and what value does it deliver?
Cloud, virtual machines, servers, hyperscalers, as-a-Service solutions, digital twins and digital transformation – every one of these is a solution designed to transform the organisation with efficiencies and functionalities that redefine its performance on the local and global stage. Each one is a risk. The cybersecurity threat is a constant and pervasive presence that’s costing companies money, loss of reputation and is growing increasingly complex to manage. Surveys and statistics show a landscape that’s growing increasingly aggressive, and the cost to business is becoming ever greater.
According to Statista, the average cost of a data breach in the US in 2022 has risen to US$9.44 million compared with US$9.05 million in 2021 – this is a significant surge from the US$5.5 million only ten years ago in 2012. The data indicates that a heavy financial toll has been borne across multiple organisations. The average cost of a data breach, globally, in healthcare over the past year equated to $10 million. This rose to US$5.97 million in the financial industry, and in pharma to US$5.01 million. These numbers are reflected in the IBM 2022 Cost of a Data Breach Report that revealed how nervous companies are right now – 83% are waiting for the breach to happen. It’s not an if. It’s a when.
This smart and relentless cybersecurity threat comes with another price tag – security investment. The 2021 State of Ransomware Survey and Report revealed that 72% of cybersecurity budgets have increased, and 93% had to allocate special budgets to fighting the threat. Companies are investing in security across networks, cloud, endpoints, identity access and more, all in a bid to ensure that the business can continue to do just that – business.
Within this maelstrom, it is easy to see why companies often perceive cybersecurity as a grudge purchase. It’s the cost that has to be paid, or else. It’s the threat of what will happen if the business isn’t compliant, secure, or prepared. Instead of an investment into the company’s foundations, it is an expense.
Or is it?
Sure, the cost of security is unavoidable and the price of a breach is untenable. Still, there are other aspects to security investment that go beyond simply battening down the digital hatches. The business that bothers with investing in a Chief Information Security Officer (CISO), a security team, a Security Operations Centre (SOC), a Network Operations Centre (NOC), and agile security technology isn’t just investing in tools. It is investing in resilience, relevance and strategic growth.
Despite the costs outlined above, the right cybersecurity investment saves money. A robust cybersecurity policy structured in alignment with business strategy will minimise the risk of attacks and unexpected vulnerabilities, placing your business on a far more stable foundation. This has a knock-on value across compliance mandates such as POPIA and reputational value, which have proven long-term positive financial implications. Add to this the obvious savings that come hand-in-endpoint with a robust security system. Not having to pay the cost of a successful attack, and with security woven in with a business strategy, the dialogue is taken away from ‘No, you can’t do that’ towards ‘Here’s how security can enable that’.
While many aspects of security cannot be quantified precisely and their return on investment easily measured, the value of security can be felt in business confidence - in its ability to embark on digital initiatives, unpack new solutions and services, and minimise the risks while maximising the opportunities. In this way, security is defined less by what it demands from the business and more by how it transforms what the business can do.