Measuring Cybersecurity ROI Part 2: Cost Savings, Decreasing M&A Risk
The good news for frustrated CISOs is that cybersecurity also drives the sorts of revenues and efficiencies leadership looks for in evaluating ROI.
For starters, effective security means significant cost savings.
Efficiencies save time, and hence money, which is then available for other strategic initiatives. And cybersecurity, for many organizations, is a locus of significant inefficiency and waste.
This sort of unintegrated, piecemeal approach tends to be inefficient and is often quite expensive. Our experience is that self-integration of a cybersecurity product is, on average, about 30% less efficient than if it’s implemented by an external cybersecurity integrator. Additionally, third-party integrators work with the technology a company already has in place, driving strong optimization efficiencies and reducing confusing, expensive (and less effective) vendor sprawl.
Second, cybersecurity dramatically reduces the risk associated with mergers and acquisitions.
In one notable case, an acquirer’s final offer was cut by several hundred million dollars as a result of belated revelations about security incidents. And a 2016 NYSE survey demonstrated more than half of respondents see security vulnerabilities as merger/acquisition deal-breakers. (CircleID)
Strong cybersecurity programs can supercharge the due-diligence process, though. Things to consider:
- Ensure that a list of the target company’s digital assets, including infrastructure, software, hardware, and mobile apps, exists in a centralized database. This should include a risk score for each asset, based on information such as previous compromises, vulnerabilities, asset criticality, etc.
- Gain a complete view of the target company’s third-party ecosystem. The board should insist that the M&A team evaluate the security protocols and assurances of each of the target’s partnerships to assess any risk they might introduce.
- Make sure procedures are in place for governing software development controls for the technology that is being acquired as part of the deal. In addition, the acquiring company needs to examine how it will introduce any new technologies into its own organization and maintain compliance.
- Execute [vulnerability scan and risk assessment] of the acquired company’s business and its assets, to characterize the business risk and the costs to remediate.
- Ascertain there is appropriate investment in employee education and awareness. At a minimum, a cybersecurity training session should be held with staff from the new organization to outline security expectations and guidelines. Implore management to report on the program’s success and to follow up on its efficacy.
- Decide in advance if the target company will be fully integrated into or operate separately from the acquiring company, and direct management to develop the security strategy accordingly. For example, many security teams prefer to isolate the new group under a “zero trust model” for several months as a temporary safeguard. (Optiv)
If an organization has a third-party risk management program, companies for potential acquisition can be assessed to determine cost and risk more effectively, balancing cost against growth (to get real ROI) and properly assessing the cost of money to borrow. Mature cybersecurity programs help you categorize risk and cost faster, giving you a decided edge on the competition.
In part three, we will focus on specific ways companies have leveraged cybersecurity to create new innovations and business opportunities.