What is the 'business value' of security?
You regularly hear organizations ask about the 'ROI of security'. But does this terminology represent the right perspective?
My suggestion: let's look at security from a different perspective. ROI is mainly when you develop or purchase software to recoup your investment and then make a profit. Understandable, because if a solution involves costs, you wonder what you will get in return.
But with this question you actually drift away from the essence of security measures. Because what is the real value of digital security? Is that monetary gain... or something else entirely?
Investing in the foundation
Let's go back to the core: security measures are taken to prevent chaos. A cyber attack can stagnate work processes or even shut down your entire organization. The consequences are often great. Employees panic, you suffer reputational damage, you lose customers and you can be fined by regulators.
Security measures are taken to limit the risk of such problems. Yes, you invest in it. But what you get in return is not a direct profit. It is the foundation you need to keep your organization running and making a profit. What does that foundation consist of? Peace, regularity, stability, customer trust and compliance. In other words, the preconditions for running a healthy organization.
Are you declaring your organization outlawed?
What if you don't invest in security measures now? Nowadays, it is no longer a question of if, but when your organization will be hit by a cyber attack.
"But it's been going well for years," you might say. And that's right. But cyberattacks are the order of the day. Malicious parties are actively looking for ways to attack organizations. Day and night, from all corners of the world. So basically you walk around without a shield on a battlefield where bullets and cannons are flying around. You have outlawed your organization. And when you conclude on Friday afternoon that another week has passed without a cyber attack, you open the champagne bottle...
That's also quite a victory. The only question is: do you want to run an organization that way?
Because let's take a look at what you expose yourself to. On a random Tuesday morning, the time has come: malicious parties have invaded your systems and shut everything down. You can no longer produce products or serve customers. Employees are at a loss. The supervisor points out that you have not complied with laws and regulations. And as if all that wasn't bad enough, the media gets wind of it. Within a few hours, your organization is poorly on the map.
What is left of your business value? It is generated by the products you manufacture and sell. You need a building, power, an emergency generator and working ICT systems for that. If one of these elements disappears, your business value is also over.
And the investments you have made in all kinds of applications, but not in security? You can forget about the ROI on that for the time being, because those applications have all been shut down.
No business without continuity
The real business value of cybersecurity is continuity. After all, without continuity you have no business.
Want to achieve an ROI on your investment in security measures in three years? You don't. But you do create a situation in which you continue to get ROI from other investments for the next three years (and beyond).
Fortunately, we notice that more and more organizations see cybersecurity through this lens. The awareness is there. This is a good development, because it allows us to keep malicious parties out of the organization much better!