Maximizing And Fortifying Business Value Through Cybersecurity: Instilling Confidence Is Key – Security
As outlined in our previous article, cybersecurity is not solely
a cost center, and can be used to build stronger relationships with
customers and key suppliers, improve business agility through
exercising high-stress scenarios, break down communication siloes,
and enhance operational efficiency.
We will now discuss the remaining business-centric pillars
(Optimize, Innovate, Comply, and Instill) in detail.
Business-centric pillars of cybersecurity
Optimize: Enhance business value
To protect business value during times of economic uncertainty,
businesses tend to minimize costs. There are ways to optimize
cybersecurity costs without completely compromising the overall
security posture of the business. Organizations can pull the below seven levers
to enact meaningful change:
Simplify: Cutting down or reducing, which
requires an assessment of what we currently have and take action to
make a change. Some steps to simplify a cybersecurity program
include assessing the current cybersecurity tool stack and vendor
contracts, centralizing security insights, and revisiting the
operating model.
Renegotiate: Negotiating, or in this case
“re-negotiating” requires cybersecurity programs to
review existing vendor contracts and identify options that can
reduce overall costs. This does not mean that services and products
need to be eliminated. It means the agreement requires updates to
potentially get more for less. This involves identifying vendors
that provide products and services and discussing if they can do
better.
Prioritize: Businesses cannot employ effective
security practices without robust risk management in place.
Measuring risks in terms of annualized loss expectancy is integral
to the process. Prioritizing security investments based on the
reduction in the annualized loss expectancy of the business
minimizes expenditure on unnecessary controls, while delivering the
highest return on security investment.
Right-sizing: The process of identifying
overlapping security capabilities by interviewing security teams
and examining available tooling. Often, siloed security teams
duplicate effort and don’t tend to use all tooling available to
them, which presents rationalization opportunities.
Re-engineer: Re-engineering or re-configuring
existing security tools removes false positives and provides more
meaningful alerts. Cost savings can be achieved by reducing the
amount of full-time employees, contractors, or Managed Security
Service Providers (MSSPs) required to monitor security tools by
just re-configuring the tools to be more efficient and
effective.
Automate: Automating manual processes reduces
the number of bottlenecks that curtail the overall security
posture. The operational efficiency gains typically outweigh the
significant upfront investment in time required to configure
automated tooling to minimize noise volumes and the training
required for users of the tooling.
Insource/Outsource: Outsourcing security
services provides businesses with quick access to a mature
capability that may be otherwise resource-intensive to develop
internally. Whereas, insourcing a capability can provide more
control and direction over the capability, while providing cost
saving opportunities in the long-term.
In addition to the cost reduction, positive changes to the
business can be realized by optimizing cybersecurity costs, such as
enhanced collaboration, greater transparency, and stronger
relationships with strategic partners.
Innovate: Business enablement leads to innovation
It is human nature to find an alternative path around an
obstacle. Cybersecurity leadership does not mean being the
‘Chief No Officer’; rather, it means identifying
alternative, creative solutions that are secure, while enabling the
business. In this respect, cybersecurity breeds a culture of
innovation within businesses that can be beneficial to wider
product development.
Look no further than patent data to see why this is. In 2021,
roughly 30% of companies in the NASDAQ Global Equity
index that filed any patent, filed a cybersecurity patent. Many
of these patents were primarily for use within products through
secure-by-design processes (40% of the cybersecurity patents were
filed by technology companies); however, the leaders of innovation
in disruptive or emerging technologies were the businesses filing
cybersecurity patents.
In the NASDAQ Global Equity Index, businesses filing
cybersecurity patents also filed patents for innovative technology,
such as image recognition, deep learning, virtual reality, speech
recognition, and cloud computing. As many as 70% of companies that filed a cybersecurity patent
also filed an image recognition patent, followed by deep learning
at 60%, underscoring the influence that cybersecurity can have
on the wider business as a ‘strategic business
enabler‘.
Comply: Compliance with key regulations is fundamental to
being a good global citizen
We recently saw the SEC cybersecurity disclosure rules go into
effect in December 2023. These rules represent moderate investments
in the form of modifications to existing compliance programs at
best, and significant capital infusion in the form of setting up a
new compliance program in the worst-case scenario.
Beyond cybersecurity, the data privacy landscape continues to be
dynamic. The Federal Trade Commission has filed multiple Advanced
Notice of Proposed Rulemaking (ANPR) documents, with the most
recent ANPR geared towards exploring rules to “…crack
down on harmful commercial surveillance and lax data
security“. In addition to states passing new or updated
comprehensive privacy legislation, there have
been multiple bipartisan attempts in US Congress to pass a federal
data privacy bill. Across the globe, there are many other examples
of newly passed, in effect, or draft legislative privacy bills
being released by different governments, with the trend expected to
continue.
Enforcement actions against regulatory violations are also
rising, with record-setting penalties from regulators in the US, EU, and
China. This is exemplified by the large settlements observed in
recent years from multiple class-action lawsuits against different
businesses within the technology sector.
As the cybersecurity and data privacy regulatory landscape
continues to evolve at rapid pace, businesses that embrace these
changes and become proactive will likely be the winners in the
long-term. Businesses that can successfully build proactive
compliance programs build trust with governing authorities. In the
long-term, these businesses are more likely to be awarded access,
approvals, and licenses that afford fresh opportunities for
growth.
Businesses that not only cater to the rapid regulatory changes,
but also link to their overall strategic business goals, e.g.,
ESG-related sustainability goals, tend to maintain competitive and
reputational advantages that lead to value creation.
Instill: Provide confidence to act decisively
Businesses have long coped with the impact of business cycles.
Now they must address not just cycles but cyclones. Storms spin up
seemingly out of nowhere, irrespective of the ups and downs of the
overall economy. It’s no wonder that 61% of CEOs worry their company cannot keep
up.
With generative AI cited as the biggest driver of disruption by
67% of business leaders, acting decisively to
technological change is a mandate for success. The cybersecurity
function can enable the business to capitalize on the changing
environment through providing assurance on emerging technology and
implementing the safeguards needed to protect the business. A
dynamic approach is required to reprioritize cybersecurity
initiatives that align more closely with the business strategy and
support rapid decision making from the business leaders.
Putting it all together: Leveraging the seven business-centric
pillars
The seven business-centric pillars of cybersecurity outline the
ways in which cybersecurity can be harnessed to fortify existing,
and create new, business value. This is achievable through building
trust with customers, improving the agility of business leaders,
enhancing critical business processes, optimizing cybersecurity
program costs, enabling the business to cultivate innovation,
improving reputation with regulators, customers, and key suppliers
through being a good global citizen, and enabling leaders to act
decisively.
As the economic environment over the next year shifts,
businesses that seek to extract additional value from alternative
sources will be rewarded. Is your business positioned to realize
the benefits from cybersecurity?
AlixPartners works with senior leaders across businesses to
optimize their cybersecurity programs, and more generally, their
businesses. A Diagnostic assessment of an organization’s
cybersecurity program is a helpful way to identify issues and
opportunities to maximize the value to the business. If you would
like to discuss our cybersecurity offerings or read more about our
thoughts on the opportunities that the changing landscape presents to Private Equity
investors, please contact one of our experts.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.