Can We Quantify the Value of Cybersecurity Investments?

According to Analysys Mason, SMEs invested USD107 billion in cybersecurity worldwide in 2023, and this is expected to increase at a CAGR of 10% until 2028. That would make SMEs responsible for 62% of cybersecurity expenditures globally.

Now, this is just a forecast, and forecasts of this nature are typically either fantastically exceeded or disappointingly undershot. This is because, although people make decisions individually, they are influenced by others. If other SMEs are demonstrating with their cash that cybersecurity investment is the order of the day, it’s not likely your business will be the contrarian to question it, especially if you’re not familiar with the industry’s importance.

Despite this level of optimism, far too many SMEs are still biding their time in moving cybersecurity northwards on their monthly agendas. One of the prominent reasons why is wrapped up in the question, “What is the value of cybersecurity investment to our business, and does it outweigh the costs?”

It’s a sensible question that any astute businessperson should be asking.

When the same question is posed to a security vendor who wants your cash, the response is focused on avoiding the possibility of a security breach—this is a lazy answer. After all, no cybersecurity solution is 100% effective because its dependencies will always be people, processes and technology. If you take the first component in this trilogy, you’ll quickly realise people can never be 100% on the ball at all times, which directly influences any cybersecurity attempts we may undertake.

Yes, of course, we must be seriously concerned about minimising the likelihood of a security incident as much as possible, but the question is whether the value of a cybersecurity program, initiative or investment outweighs the costs.

With an increase in the cost and frequency of data breaches, there are several questions these undecided decision-makers are asking, such as:

  • Will this investment be effective?

  • Is it an efficient use of capital?

  • Will we get the results we need?

  • How will we measure the success or failure of these investments?

  • Are the costs going to keep growing indefinitely?

  • How much security is enough?

Many security professionals holding senior positions struggle to answer these questions. In fact, Nixu Corporation published a whitepaper finding that CISOs and CIOs rarely focus on business value, which the questions above allude to. Interestingly, they found that senior management has an inhibited ability to make decisions regarding security investments because they are unable to properly quantify cybersecurity risks; the same area of focus their attention is constantly being directed (remember the lazy answer earlier?).

This presents unique challenges in quantifying the value of cybersecurity investments. Unlike marketing efforts, where ROI can be clearly demonstrated through metrics such as the sales generated from x amount spent on y marketing campaign, cybersecurity operates primarily in a preventative capacity.

The primary objective of cybersecurity is to avert breaches. Failure to do so can result in significant, sometimes fatal, disruptions to business continuity. Conversely, when successful in preventing data breaches and cyberattacks, the cybersecurity initiative is fulfilling its purpose, but this isn’t directly linked to measurable business metrics that show up in the numbers.

As there are no well-established practices that SMEs may follow to ensure the robustness of cybersecurity investment decision-making, some ingenuity is required.

Fortunately, there are several ways to quantify the value of cybersecurity investments, but it’ll require first understanding the key risk or growth areas to which any business will pay attention and then subsequently building the conduit from a cybersecurity lens to these respective areas in quantifiable terms.

Let’s break it down a little further and make it clearer.

Businesses generally care about the following risk areas in order of priority:

  1. Resilience: The ability to adapt to disruptions which interfere with revenue generation or business operations.

  2. Reputation: The perception of a company’s trustworthiness, quality, and reliability as judged by its stakeholders, including customers, employees, investors, and the general public.

  3. Unplanned Direct Costs: Specific unforeseen security incidents or breaches, such as emergency incident response, sudden system repairs, or unanticipated costs for additional security measures,

  4. Regulatory and Legal: Potential threats to a business’s operations and financial health arising from non-compliance with laws, regulations, and industry standards, which can result in fines and legal penalties.

In the interest of time, let’s simply take a closer look at business resilience through the lens of cybersecurity in a rather simplified example.

Implementing a cybersecurity program can significantly enhance business outcomes by protecting customer information and maintaining consumer trust. Here’s an example demonstrating its financial justification:

ACME MANUFACTURING LLC

  • Customer Base: 1,000 customers

  • Lifetime Value (LTV): £1,800 (calculated as £1,000 Average Purchase Value × 2 Purchase Frequency × 3 years Average Customer Lifespan × 30% Gross Margin)

  • Potential Customer Loss with Poor Cybersecurity Hygiene: 35% (based on conservative estimates from McKinsey study) = 350

  • Revenue Without Cybersecurity Program: £1,170,000 (650 customers × £1,800 LTV)

  • “Specific” Cybersecurity Program Success Rate: 70%

  • Additional Customers Retained With Cybersecurity: 245 (35% x 0.70 x 1,000)

  • Total Customers With Cybersecurity Program: 895 (650 + 245)

  • Revenue With Cybersecurity: £1,611,000 (895 customers × £1,800 LTV)


    Net Revenue BENEFIT: £441,000

    Cybersecurity Program COST: £50,000

    Cybersecurity Program VALUE: £391,000

This example highlights a net benefit of £391,000 from implementing a £50,000 cybersecurity program, demonstrating its substantial financial value in safeguarding customer trust and retention alongside protecting the company from data breaches.

Although this is a very simplified example, this is the line of thinking that allows business leaders to confidently make cybersecurity investments. The more tailored the proposals to the business in question, the more accurate the numbers are likely to be and sensible the thought process behind the decision to accept or reject a security proposal—any material deviations may just be a stab in the dark.

Previous
Previous

Employees - Your Weakest Link

Next
Next

Why Information Security Matters: The Radar System of Your Organisation