Billions of dollars are being poured into the cybersecurity market, and the risks of cyberattacks are well-documented. But IT leaders still need to make a compelling argument to carve out the necessary piece of their organizations’ budgets for cybersecurity investment.

“Cybersecurity is looked at as an ancillary component to IT,” Larry Whiteside Jr., CISO at real-time GRC software company RegScale, tells InformationWeek. “However, it’s the controls related to cybersecurity that directly affect not just an organization's IT posture, but also its risk posture, compliance posture, and potentially its fiscal posture as a failure in any of the mentioned areas can have devastating impacts to an organization.”

Demonstrating how cybersecurity impacts the bottom line can help IT leaders make a compelling argument to the C-suite, but painting that picture isn’t always easy. “Cybersecurity spending can be particularly tricky because it is -- generally and hopefully -- preventative rather than reactionary. It’s a different conversation than, say, productivity software where you can perhaps measure value more immediately,” says David Weisong, CIO of energy consulting firm Energy Solutions.

Whiteside, Weisong and three other C-suite leaders share their insight into ways cybersecurity can have a notable impact on a company’s revenue.

Compliance Support

Companies operating in many industries must invest in cybersecurity to comply with regulatory requirements. Failure to do so can lead to hefty fines and loss of business. Energy Solutions operates in a highly regulated industry with complex compliance requirements; most of its clients are utility companies. “Over the course of conversations with current clients and in discussions (and proposals) with prospects, we realized that hardening our security posture with demonstrable security processes would not just be prudent for ongoing threat protection, but also smart for our business,” Weisong shares.

Energy Solutions pursued SOC 2 Type 2 certification as the framework to guide its security modernization strategy, according to Weisong.

“To gain a competitive advantage, we have taken a position of exceeding the minimum security requirements that many utilities demand,” he elaborates. “The return on investment for surpassing those minimum thresholds -- minimum thresholds which continue to increase -- has been clear.”

Operational Efficiency Improvements

As CIO of insurance organization World Insurance Associates, Michael Corrigan has led the company through investments in next-generation antivirus, endpoint detection and response, enhanced IT hygiene, and managed threat hunting solutions. “Improved cybersecurity controls can increase operational efficiencies, as well as investigation and containment efficiencies, all of which increase bottom line revenue,” he says.

Incident Response

The faster a company can recover from a cybersecurity incident, the less costly it will be. The average cost of downtime is $9,000 per minute, according to research from website performance and availability monitoring company Pingdom. Larger companies can lose millions in revenue over the course of just a few hours of downtime.

“While no one is immune to a breach, investments in a cybersecurity program can reduce the impact of an event, and the companies that have tools and programs to respond to an incident are the ones that end up doing okay,” says Doug Barbin, chief growth officer and managing principal at IT compliance attestation company Schellman.

Preservation of Trust

Bryan Willett has been the CISO of imaging solutions company Lexmark International for seven years. He oversees global cybersecurity, data privacy, and governance for more than 140 sites across the world. “I spearheaded Lexmark’s largest investment in IT security in over a decade. This covered: security by design, zero trust and supply chain security -- encompassing 10,000 global vendors,” he tells InformationWeek.

These investments have played a critical role in building trust with the company’s customers. “As regulatory and contractual requirements continue to grow around data protections, customers increasingly seek out partners who have equivalent respect for the protection of data,” says Willett. Reputational damage and the resultant lack of trust can translate into lost revenue when customers decide to seek out competitors that demonstrate the ability to safeguard their valuable data.

Insurance Premium Management

With cyberattacks continuing to escalate, insurance coverage is more difficult to obtain, and premiums are getting more expensive. From 2020 to 2021, direct written premiums for cyber coverage increased by 75.3%, according to a report from the National Association of Insurance Commissioners. The upward trend in premium price is likely to continue.

While cyberattacks are a question of “when, not if,” taking a proactive approach to cybersecurity can make cybersecurity insurance premiums more manageable, according to Corrigan.

New Business

Cybersecurity can preserve revenue by saving costs related to preventable attacks, regulatory fines, and rising insurance premiums. It can also actively increase revenue by retaining and attracting new customers. “Our new cybersecurity stack and compliance initiatives have led to not only existing client contract renewals, but also enabled us to credibly win new client contracts,” said Weisong.

Getting the C-Suite on Board

Setting an adequate cybersecurity budget and making the right investments is an effort that involves an enterprise’s entire C-suite. The first step is making sure that all stakeholders understand the risks. “Investments in cybersecurity should not be done haphazardly. Making strategic investments that align to risk will have a greater impact,” Whiteside says. “This means an organization must understand their risk. This includes employee, technology, operational and fiscal risk, and the impact that cybersecurity has on each.”

Corrigan works with the C-suite team at World Insurance Associates by keeping them aware of the threat landscape and how it could impact the company. He also listens to their feedback to understand “... which business processes to support and where the cyber controls should be tuned to protect the organization without impacting its capacity to function efficiently.”

What to Read Next:

Zero-Trust Networks: Implementation Is No Walk in the Park

March 2023 Global Tech Policy Bulletin: From Bank Nightmares to a Spyware Scandal in Greece

Will Your Company Be Fined in the New Data Privacy Landscape?