Cybersecurity is viewed by many as a cost center, requiring investment in people, processes, and technology, without directly providing an apparent revenue stream. This viewpoint fails to capture the benefits that come with securing assets and customer data.
Cybersecurity risk and strategy is an integral part of the business, which can help to protect value, saving millions, and in some cases, billions of dollars in fines, breach costs, lawsuits, and reputational damage.
Through our client engagements, we have derived seven business-centric pillars of cybersecurity, which can transform cybersecurity from a cost center to a business-enabler. Capitalizing on these benefits is imperative to fortifying business value and providing a competitive advantage during times of economic uncertainty.
In the first article of this two-part series, we discuss the first three of the seven business-centric pillars (Transparency, Stress-test, and Identify) in detail.
Business-centric pillars of cybersecurity
Transparency: Build digital trust with customers
With news of data breaches and misinformation becoming commonplace, doubts have been seeded in the minds of customers, cultivating a crisis in trust. This has been amplified through the accelerated rate of customer data acquisition from recent digital transformations.
According to the ISACA 2023 State of Digital Trust Report, 56% of respondents stated that low levels of digital trust leads to the loss of customers. On the flip side, 55% of respondents stated that high levels of digital trust lead to stronger customer loyalty.
Achieving digital trust with customers should be key to any business strategy in the modern era, but how exactly can businesses build trust with their customers?
To answer this, we need to understand how informed customers traverse the digital trust hierarchy on their journey with a company, which involves the customer asking themselves a series of questions:
- Do I want to receive and open emails from this company?
- Do I want to accept cookies from this company website?
- Do I want to provide my personal information via the company website?
- Do I want to download the mobile application?
- Do I want to enter my credit card information to purchase products/services?
For customers to navigate the digital trust hierarchy and answer ‘yes’ to the questions above, two key requirements must be satisfied:
- The company must have implemented robust cybersecurity controls, such as data encryption, secure storage, and continuous monitoring, to protect and safeguard the customer data.
- The company must be transparent with the consumer, which translates to clearly and honestly communicating the cybersecurity and data privacy measures that are in place to protect consumer data.
Ultimately, transparency engenders trust, which is intrinsic to building deeper, long-term customer relationships and fortifying business revenue streams.
Stress-test: Improve business agility
According to AlixPartners’ 2024 Disruption Index, 75% of CEOs say that their companies are facing a high amount of disruption and 72% say their executive team lacks the agility to deal with it. In the age of disruption, every company, executive team, and CEO must contend not only with the challenges of competitors, costs, and customers, but also with sudden shifts in the business environment and with inexorable long-term trends that are transforming how businesses win—and lose. The ability to act rapidly and decisively to threats is imperative to survival.
An integral component of any cybersecurity program is disaster recovery and incident response exercising, which require the involvement of management teams. One of the benefits of exercising a range of different cybersecurity incident scenarios is the improvement in rapid decision-making under stressful conditions. This is often complemented by the breakdown of communication siloes which typically exists between management and technical teams.
While exercising drives improvements in cybersecurity response and recovery processes, it also provides the blueprint for navigating high-stress disaster situations and remaining agile. This equips management teams with the toolset to make vital business decisions during times of elevated stress and capitalize on the disruptive business environment.
Identify: Enhance key business processes
Identifying organizational crown jewel assets (i.e., the most valuable and sensitive assets that are crucial for the business operations, reputation, and competitive advantage) is not solely about security. It forces the business to understand the key drivers of the value proposition and evaluate where the competitive edge lies. In turn, this drives the improvement of reliability, reduced downtime, and increased overall efficiency in key business processes, strengthening business value.
An unintended benefit of securing the crown jewel assets may be unlocking hidden business value through identifying and leveraging new sources of data and, subsequently, new insights about customers or the efficiency of business processes. However, this is a double-edged sword: The prevalence of data is accompanied by a growing risk of data exposure and compromise, which presents significant regulatory, reputational, and competitive threats.
To combat this risk, businesses need to invest in their future by building or continuously improving robust Data Loss Prevention (DLP) and insider threat programs. An effective DLP program should address the following key questions:
- Can I identify and classify our most sensitive data, ensuring it receives the highest level of protection?
- Can I track data movement throughout the network, identifying any unusual or unauthorized data transfers?
- Do I have the safeguards in place that can analyze the content of emails, messages, and files to detect sensitive information being shared inappropriately?
- Do I have the right tools to enforce policies that automatically block or encrypt sensitive data to prevent leaks before they happen?
By proactively addressing the risk of data leakage for the crown jewels, businesses employ the first pillar (transparency), improving trust with its customers, partners, and employees, and ensuring continued success in the digital age.
Getting started: Leveraging the business-centric pillars
The three business-centric pillars of cybersecurity discussed here (transparency, stress-test, and identify) provide a holistic view of the value that cybersecurity can bring to businesses, in addition to securing the confidentiality, availability, and integrity of information. This can lead to stronger relationships with customers and key suppliers, improve business agility through exercising the high-stress scenarios, break down communication siloes, and enhance operational efficiency.
Capitalizing on the three pillars requires a blueprint for action:
- Develop a strategy to communicate the core cybersecurity safeguards that have been implemented to safeguard customer data. Identify the strengths in the cybersecurity program that differentiate the business from competitors and embed these into marketing campaigns.
- Implement a robust incident response and disaster recovery exercising program and mandate regular input from management teams. Use lessons learned exercises to highlight improvement opportunities in decision making.
- Map the organizational crown jewels to the business processes to all inform cybersecurity investment decisions.
In the next article in this series, we’ll dive into how businesses can improve business value through optimizing cybersecurity programs, business enablement through cybersecurity breeds a culture of innovation, and leveraging compliance with key regulations can enhance brand reputation.