I regularly speak with cyber security leaders who are struggling to get their budgets approved or have more and more pressure to showcase ROI (Return on Investment)...yet must still take cyber risk into consideration.
Sometimes they are new in their role and are struggling to change the CFO or budget holder’s viewpoint that cyber security is a cost centre. Other times, they are working hard to showcase the risk to the board to get a budget for their projects.
Here at th4ts3cur1ty.company we have put together a framework that can help you to align your cyber risk to the business goals and objectives. This blog outlines part 1 of that framework, which will show you how to showcase and quantify the benefits of your cyber security initiatives.
What is Cyber ROI?
Cyber ROI is the measurable value and financial benefit an organisation gains from its investment in cyber security measures. However cyber security typically prevents losses, rather than being revenue generating. So with cyber security, we have to focus on metrics such as:
- Reduction in risk/potential losses from data breaches, regulatory fines or operational downtime
- Cost avoidance related to incident response, legal expenses and reputational damage
- Operational efficiencies such as improved system uptime, reliability and employee productivity
- Compliance with regulations and avoiding costly penalties
- Enabling business growth by building customer trust and providing a secure foundation for new digital initiatives
According to IBM’s Cost of a Data Breach report, the average cost of a data breach globally in 2024 is £4 million (or $4.88 million) once detection costs, forensics costs, customer turnover, legal expenses, time to notify customers and fines are all combined. However, in the UK 99% of businesses are SMEs with less than 50 employees. A breach of this scale would sink a business, so we can’t naively use that statistic to demonstrate ROI.
We have to work to understand the businesses we work in and showcase that the balance between productivity of the business, and the balance of cyber risk is right.
Understanding your business operations
Before you can apply ROI you need to understand your business’s purpose and goals. What does the business do? In this blog, I’ll use the following example: the business purpose is to supply all major supermarket retailers with a large number of pre-packaged sandwiches and dominate that space in the food industry.
Your associated goals may be to produce X amount of sandwiches of different varieties per day, and to do so sustainably while using no less than 80% organic ingredients. The business purpose outwardly or externally may be to produce high-quality, fresh sandwiches for convenience for hard-working busy people.
There are purposes and goals that companies share openly, but there are also private goals that are discussed internally i.ee a company selling sandwiches may have an ultimate goal of generating profit to sell the business to a larger food manufacturer within a certain timeframe. Internally the goal is to be profitable and expand our reach as a business to grab 30% of the fast-food market by 2028. The ultimate goal is to be purchased by a large retailer by 2035.
Is the cyber security department helping towards these goals, or is it putting barriers in place for the staff that are working towards these goals?
Cyber risk and the financial impact of the business goals being interrupted
If our business goal is to produce X amount of pre-packaged sandwiches of different varieties per day, what is the impact of that being interrupted?
From a financial perspective:
- If our processing facility goes offline for 1 day, we fail to produce eg 200,000 pre-packaged sandwiches
- The immediate damages is £108,000 per day in lost revenue
- There’s also an anticipated £2.6 million in legal fees and potential contract break clauses with pre-existing retailers
- Wastage costs of X from organic ingredients spoiling.
- There is also reputational damage resulting in lost contracts with retailers that we are currently in negotiations with
Aligning cyber risk to business risk
Before we can work to secure a business, it is important to understand what is critical to business operations, not to cyber operations. Every department will think it’s the most important department in a business…but what does the board think?
For instance, if we think of an airport, the systems that keep the planes in the sky and the flights on time are what keep the money coming in. There are also booking systems and check-in systems, as well as operational systems for timesheets and payroll.
If we work with the business to understand all of the business-critical systems, we can work out how long can the business afford for those systems to be down; i.e., how long can they afford to lose their HR Systems, without major impact? If payroll isn’t for another 25 days, how many days of downtime can they afford for the payroll system? What time of the month is the payroll system critical?
We may want to protect the e-commerce website for flight purchases against 0 hours of downtime to ensure bookings can continue to be made. The check-in facility may have 2 hours of downtime, because we have tested disaster recovery plans and there are regular paper backups/printed lists, for example.
This is an example of how you identify clear and honest business goals, putting aside anything that is fashionable in our prospective industries, and instead focusing on what is required and relevant for the business to survive.
Conclusion
This is the first of a series of blog posts to help you with your stakeholder management at the board level. If you can’t wait for part 2, and need some assistance with your board negotiations (regarding cyber risk or anything else), drop me a message via out contact form for a copy of our Cyber ROI questionnaire to help you to align your cyber security strategy to your business-critical assets and most likely adversaries.
