Transforming cyber security from cost centre to growth enabler
Pat Larkin, President of Security, Ekco
Executive Summary
The digital revolution has transformed how businesses interact with customers, making digital channels the new frontline. To protect these critical channels, organisations must invest in robust Information and Cyber Security. By shifting their mindset from cost centre to strategic asset, C-suite leaders can unlock significant business value through cyber security, including:
- Easier access to new markets
- Competitive advantage
- Increased opportunity for innovation and digital transformation initiatives
- Increased collaboration, partnership and supply chain opportunities
- Cost efficiencies
- Operational efficiencies
- Compliance
How organisations perceive information security
Many organisations view information security and cyber security with mixed emotions. Those who have experienced significant cyber security incidents or have a strong risk management process are more likely to appreciate the value of the information security function and collaborate for constructive outcomes. However, some organisations still perceive cyber security as a poorly understood black box, an increasing cost centre, or an inhibitor due to risk management or compliance barriers.
The modern organisation’s increasing digital dependence has made cyber security a critical investment. McKinsey estimated in 2020 that 55% of all customer interactions in Europe were digital, and over 50% of European organisations’ services were partially or fully digitised. This trend is accelerating, fueled by COVID-19. Protecting this increasingly important digital channel requires substantial investment in cyber security to counter evolving cyber threats.
Shift in mindset
Cyber criminals, often backed by nation states, are capitalising on digital transformation. Cyber security represents a significant investment. Organisations can allocate between 9% and 20% of their information technology budget to cyber security. Hiscox’s Cyber Readiness Report 2022 estimates that an average business with 250-999 employees spends £1.5 million annually on cyber security, while organisations with 1,000+ employees typically spend over £18 million per annum. This substantial commitment demands a strategic approach, transcending the traditional view of cyber security as solely a cost of doing business.
By shifting their mindset from an inhibiting, insurance and compliance-based philosophy to a growth-oriented philosophy, organisations can unlock the full potential of their cyber security investment.
Senior management, in partnership with security leaders, can drive a narrative focused on enablement and growth. Opportunities for positive enablement include:
Easier access to new markets: Different regions and sectors have different compliance and data protection, product cyber safety and critical national infrastructure regulations. Use demonstrable mature cyber security practices and universal accreditation such as ISO27001, Cyber Essentials etc to open easier, faster and sustainable access to these markets. Operating an International Information Security Management System such as ISO27001 makes it easier to incorporate and demonstrate compliance to subsequent standards, security control frameworks under an umbrella approach. ISO security accreditation is a really good international calling card. If you are focused on UK business then you may want to consider Cyber Essentials accreditation, US focused businesses may want to consider NIST accreditation frameworks.
Increased opportunity for innovation and digital transformation initiatives:
To effectively address customer needs, enter new markets, offer superior and unique services, and lower costs, your organisation must prioritise continuous innovation. This often involves embracing new technologies and leveraging digital transformation. However, these advancements can also heighten cybersecurity and information security risks for both your organisation and its customers. If not managed properly, these risks can hinder your ability to innovate or even threaten the very existence of your organisation. A robust security foundation enables organisations to embrace new technologies and business models in a controlled manner.without fear of compromise. Fortunately a risk based approach and management system, ensures you can identify, mitigate, and control these emerging risks that arise from e.g. the use of AI, ioT, RPA, Smart Manufacturing etc, ensuring that your innovation efforts are both successful and secure.
Increased collaboration, partnership and supply chain opportunities: Every company plays a dual role in the supply chain – as a buyer upstream and a supplier downstream. As a result, demonstrating mature cybersecurity practices has become a critical factor in supply chain due diligence, supplier onboarding, and the ongoing renewal and continuity of supply relationships. Robust data protection measures, secure and sustainable business operations, and reliable service continuity are now essential for companies in the commercial, government, and public sectors. If you cannot clearly prove that your business or supplier is secure, you may find it challenging to maintain or establish new business relationships in the short to medium term. Again accreditation to International Standards and best practices such as ISO27001, NIST, Cyber Essentials usually offers this irrefutable evidence to your customers or partners. Investing in comprehensive cybersecurity measures not only protects your company’s data and operations but also enhances your credibility and competitiveness in the supply chain. By prioritising cybersecurity, you demonstrate to potential partners that you are a reliable and trustworthy collaborator, ultimately strengthening your position in the market.
Competitive advantage: Proactive cyber security can differentiate organisations from competitors, positioning them as leaders in their industry. If your company can demonstrate that it poses a lower risk to processing customer data – such as an accredited Information Security Management system, has a more secure business or service supply chain – such as relevant business continuity, and presents a reduced risk of compromise to your clients’ systems and information, you gain a significant competitive advantage over your rivals.
Operational efficiencies: Organisations that adopt a mature and systematic approach to cybersecurity and risk management typically enjoy a 2-3% reduction in cybersecurity spending while achieving significantly higher levels of security effectiveness compared to those with a more ad hoc strategy. While companies that neglect cybersecurity may have lower initial costs, they face a much greater risk of catastrophic security incidents, which can lead to substantially higher expenses per data breach. According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach is approximately $4.45 million. The report highlights that organisations with established best practices—such as incident response planning, employee training, security monitoring, and encryption—experience significant reductions in breach costs.
For instance, having a mature incident response team and effective employee security awareness training can lower the average cost of a data breach by over $232,000 for each measure implemented. By investing in robust cybersecurity practices, organisations not only enhance their security posture but also achieve greater efficiency and cost savings in the long run. Prioritising cybersecurity is not just a protective measure; it’s a strategic investment that can lead to substantial financial benefits.
Cyber insurance is becoming an essential part of an organisation’s risk management and risk transfer strategy. More frequently, supply chains are requiring their suppliers to maintain specific levels of cyber insurance coverage.
However, the cyber insurance market has faced challenges in recent years, leading to several significant changes:
- Rising Premiums
- Insurers are now more selective about providing companies with affordable coverage options.
- Increased Exemptions
- Compliance Requirements: Payouts are contingent upon demonstrable compliance with policy requirements.
As a result, the application forms and processes for obtaining cyber insurance have become increasingly complex and meticulous. To secure and fully benefit from cyber insurance, organisations must implement a recognised best practice information security management system. Without this, cyber insurance may be unattainable, financially unfeasible, or ultimately a waste of resources, even if obtained.
Maintain compliance: The compliance burden on businesses is steadily increasing. A compliance only approach doesn’t always mean that your business is secure against the specific threats it faces. Adopting a mature approach to information security that prioritises enabling the business first, while protecting it second, can effectively address this challenge by putting real business benefits as your top priority for cyber security investment. By systematically applying best practices such as risk management, information security management, business continuity and quality management, organisations can achieve compliance as a valuable by– product of their business enablement and business protection efforts.
Summary
By fostering a collaborative partnership between organisational leadership and the Information Security function, cybersecurity can be transformed from a perceived cost, compliance checkbox, and business inhibitor into a quantifiable enabler of the organisation’s mission and objectives. This shift can be achieved by adopting a mature, systematic approach to information and cybersecurity that prioritises business goals while protecting the organisation’s and its customers’ data, systems, people, processes, and outputs. This proactive strategy can also help achieve compliance obligations. To drive this transformation, leadership must embrace a growth mindset with full executive commitment and a true partnership between the security function and the business. By aligning cybersecurity efforts with strategic objectives, organisations can unlock the potential of their security investments and leverage them as a competitive advantage.
To learn more about how to transform your organisation’s cyber security strategy, schedule a consultation with our specialist team.
Question?
Our specialists have the answer