As outlined in our previous article, cybersecurity is not solely a cost center, and can be used to build stronger relationships with customers and key suppliers, improve business agility through exercising high-stress scenarios, break down communication siloes, and enhance operational efficiency.
We will now discuss the remaining business-centric pillars (Optimize, Innovate, Comply, and Instill) in detail.
Business-centric pillars of cybersecurity
Optimize: Enhance business value
To protect business value during times of economic uncertainty, businesses tend to minimize costs. There are ways to optimize cybersecurity costs without completely compromising the overall security posture of the business. Organizations can pull the below seven levers to enact meaningful change:
Simplify: Cutting down or reducing, which requires an assessment of what we currently have and take action to make a change. Some steps to simplify a cybersecurity program include assessing the current cybersecurity tool stack and vendor contracts, centralizing security insights, and revisiting the operating model.
Renegotiate: Negotiating, or in this case "re-negotiating" requires cybersecurity programs to review existing vendor contracts and identify options that can reduce overall costs. This does not mean that services and products need to be eliminated. It means the agreement requires updates to potentially get more for less. This involves identifying vendors that provide products and services and discussing if they can do better.
Prioritize: Businesses cannot employ effective security practices without robust risk management in place. Measuring risks in terms of annualized loss expectancy is integral to the process. Prioritizing security investments based on the reduction in the annualized loss expectancy of the business minimizes expenditure on unnecessary controls, while delivering the highest return on security investment.
Right-sizing: The process of identifying overlapping security capabilities by interviewing security teams and examining available tooling. Often, siloed security teams duplicate effort and don't tend to use all tooling available to them, which presents rationalization opportunities.
Re-engineer: Re-engineering or re-configuring existing security tools removes false positives and provides more meaningful alerts. Cost savings can be achieved by reducing the amount of full-time employees, contractors, or Managed Security Service Providers (MSSPs) required to monitor security tools by just re-configuring the tools to be more efficient and effective.
Automate: Automating manual processes reduces the number of bottlenecks that curtail the overall security posture. The operational efficiency gains typically outweigh the significant upfront investment in time required to configure automated tooling to minimize noise volumes and the training required for users of the tooling.
Insource/Outsource: Outsourcing security services provides businesses with quick access to a mature capability that may be otherwise resource-intensive to develop internally. Whereas, insourcing a capability can provide more control and direction over the capability, while providing cost saving opportunities in the long-term.
In addition to the cost reduction, positive changes to the business can be realized by optimizing cybersecurity costs, such as enhanced collaboration, greater transparency, and stronger relationships with strategic partners.
Innovate: Business enablement leads to innovation
It is human nature to find an alternative path around an obstacle. Cybersecurity leadership does not mean being the 'Chief No Officer'; rather, it means identifying alternative, creative solutions that are secure, while enabling the business. In this respect, cybersecurity breeds a culture of innovation within businesses that can be beneficial to wider product development.
Look no further than patent data to see why this is. In 2021, roughly 30% of companies in the NASDAQ Global Equity index that filed any patent, filed a cybersecurity patent. Many of these patents were primarily for use within products through secure-by-design processes (40% of the cybersecurity patents were filed by technology companies); however, the leaders of innovation in disruptive or emerging technologies were the businesses filing cybersecurity patents.
In the NASDAQ Global Equity Index, businesses filing cybersecurity patents also filed patents for innovative technology, such as image recognition, deep learning, virtual reality, speech recognition, and cloud computing. As many as 70% of companies that filed a cybersecurity patent also filed an image recognition patent, followed by deep learning at 60%, underscoring the influence that cybersecurity can have on the wider business as a 'strategic business enabler'.
Comply: Compliance with key regulations is fundamental to being a good global citizen
We recently saw the SEC cybersecurity disclosure rules go into effect in December 2023. These rules represent moderate investments in the form of modifications to existing compliance programs at best, and significant capital infusion in the form of setting up a new compliance program in the worst-case scenario.
Beyond cybersecurity, the data privacy landscape continues to be dynamic. The Federal Trade Commission has filed multiple Advanced Notice of Proposed Rulemaking (ANPR) documents, with the most recent ANPR geared towards exploring rules to "...crack down on harmful commercial surveillance and lax data security". In addition to states passing new or updated comprehensive privacy legislation, there have been multiple bipartisan attempts in US Congress to pass a federal data privacy bill. Across the globe, there are many other examples of newly passed, in effect, or draft legislative privacy bills being released by different governments, with the trend expected to continue.
Enforcement actions against regulatory violations are also rising, with record-setting penalties from regulators in the US, EU, and China. This is exemplified by the large settlements observed in recent years from multiple class-action lawsuits against different businesses within the technology sector.
As the cybersecurity and data privacy regulatory landscape continues to evolve at rapid pace, businesses that embrace these changes and become proactive will likely be the winners in the long-term. Businesses that can successfully build proactive compliance programs build trust with governing authorities. In the long-term, these businesses are more likely to be awarded access, approvals, and licenses that afford fresh opportunities for growth.
Businesses that not only cater to the rapid regulatory changes, but also link to their overall strategic business goals, e.g., ESG-related sustainability goals, tend to maintain competitive and reputational advantages that lead to value creation.
Instill: Provide confidence to act decisively
Businesses have long coped with the impact of business cycles. Now they must address not just cycles but cyclones. Storms spin up seemingly out of nowhere, irrespective of the ups and downs of the overall economy. It's no wonder that 61% of CEOs worry their company cannot keep up.
With generative AI cited as the biggest driver of disruption by 67% of business leaders, acting decisively to technological change is a mandate for success. The cybersecurity function can enable the business to capitalize on the changing environment through providing assurance on emerging technology and implementing the safeguards needed to protect the business. A dynamic approach is required to reprioritize cybersecurity initiatives that align more closely with the business strategy and support rapid decision making from the business leaders.
Putting it all together: Leveraging the seven business-centric pillars
The seven business-centric pillars of cybersecurity outline the ways in which cybersecurity can be harnessed to fortify existing, and create new, business value. This is achievable through building trust with customers, improving the agility of business leaders, enhancing critical business processes, optimizing cybersecurity program costs, enabling the business to cultivate innovation, improving reputation with regulators, customers, and key suppliers through being a good global citizen, and enabling leaders to act decisively.
As the economic environment over the next year shifts, businesses that seek to extract additional value from alternative sources will be rewarded. Is your business positioned to realize the benefits from cybersecurity?
AlixPartners works with senior leaders across businesses to optimize their cybersecurity programs, and more generally, their businesses. A Diagnostic assessment of an organization's cybersecurity program is a helpful way to identify issues and opportunities to maximize the value to the business. If you would like to discuss our cybersecurity offerings or read more about our thoughts on the opportunities that the changing landscape presents to Private Equity investors, please contact one of our experts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
