InfoSec Risk Assessment

The “Value Creation” Side of Return on Security Investment (ROSI) Estimates

The “Value Creation” Side of Return on Security Investment (ROSI) Estimates
Reading Time: 3 minutes

Last Updated on August 12, 2022

Most of us think of information security as akin to auto insurance. It costs money and you hope you never actually need it. But if something bad happens, you have some protection to blunt a potentially catastrophic impact.

This is the value preservation aspect of information security. It protects and preserves the value of your business and its sensitive data, like your client list or most precious intellectual property. But a strong information security program can also create value, such as helping you win new business or keep current customers. Only… how do you calculate how much value your security investments are creating or could potentially create?

To help security and business leaders frame discussions on the value of cybersecurity investments, James Fair, SVP at Executech joined a recent episode of The Virtual CISO Podcast. Hosting the podcast as usual is John Verry, Pivot Point Security CISO and Managing Partner.

The InfoSec field of dreams

How can a demonstrably robust cybersecurity posture add business value? Could it help you compete and win lucrative contracts? Could it help you upsell add-on services to current clients? Could it improve your brand image and reputation? Could it eliminate roadblocks to venture capital investment?

Maybe all of the above!? But how can you really know?

“The challenge on the value creation side is, there is some level of what I call ‘InfoSec field of dreams,’ remarks John. “If we build it, we are going to win new customers. These customers will come.”

But will that dream convince your CFO to invest, say, $100,000 to achieve ISO 27001 or CMMC Level 2 certification?

“I like the good side of cybersecurity,” James responds. “You don’t hear that very much, though. I don’t know if you’re going to get any new clients from it. I mean, you could go out there and say, ‘We’ve never been hit,’ but that tends to put a target on your back.”

Asserting provable security

John suggests a different direction: “Hey, we’ll be the first company in our industry to become ISO 27001 certified and be able to tell customers.”

It’s true that more RFPs and bids are requesting “provable security” in some form. The US government’s compliance requirements for suppliers (e.g., CMMC/NIST 800-171 compliance in the defense supply chain) is but one example.

“Yes there are expanded options like the potential for looking at DoD contracts and other things you may not be able to touch otherwise,” James observes. “But I also think there’s resiliency built into it that isn’t taken into account. You become more trustworthy, and how do we put that out there to the customers? They see us as more resilient and trustworthy. We’ve got the business continuity.”

Technology advances

James alludes to some new technology advances, such as adaptive security architectures and user behavioral analysis capabilities, that he feels “will really change the landscape quite a bit.”

“But your strategy needs to be prioritizing adaptability, confidentiality, privacy, safety and reliability,” advises James. “Upskilling leaders in research and security options that are going to free up resources in the future. I think that’s where we can build a lot of value.”

Value creation can require investment

Improving security can help boost revenues. But the opposite is also true. Failure to invest in security can leave your business unable to compete.

John cites examples from the defense industrial base (DIB) where SMBs need to make significant investments to meet CMMC/NIST 800-171 security requirements for handling controlled unclassified information (CUI).

“A $100,000-plus investment for those size organizations that have relatively simple technology footprints is a big jump,” concedes John. “I’m constantly having conversations with people where they’re like, ‘I’d rather go out of business or stop servicing the DIB.’ And that’s a fair component.”

But what if your SMB is one of 30 orgs competing in a niche market, and they are all considering leaving the business because of the required security investment? If you make the investment, you might lose more than half your competition and significantly increase your revenue and client base.

What’s next?

To hear the complete episode with James Fair, click here.

Can stronger cybersecurity help make your company more appealing to investors? Absolutely, and here is why: 5 Top Criteria for Venture Capitalists Evaluating Tech Companies

 

ISO 27001 Audits and Costs Guide ThumbnailNeed answers regarding ISO 27001 certification requirements?

Learn about the audits you will face to achieve and maintain certification, what's involved, and the cost you can expect to pay to achieve and maintain certification

Download our ISO 27001 Cost Guide now!

Back to list

Related Posts

Leave a Reply

Your email address will not be published.