By Jerald Dawkins, PhD, Chief Technology Officer, CISO Global, Inc.
Mature Cybersecurity Fuels Business Growth
Being a cybersecurity practitioner 15-20 years ago sometimes made me the unpopular guy in the room. People are always excited about financial gain – opening new lines of business, developing creative and sustainable revenue streams – you know, the fun stuff. But nobody wanted to talk about cybersecurity-related financial losses at that time – especially not potential losses due to risks that very few people understood yet. With the recent, widespread increase in cybersecurity awareness, however, has also come the budding realization that security can actually fuel growth.
Cybersecurity That Drives Business in the Real World
About 10 years ago, I started to see this trend emerging. A retail client was struggling with delays in their sales process due to lengthy credit application processes for customers who could not pay cash. They ultimately designed a secure, in-store digital device that was only possible due to its underlying security components. This single digital change resulted in explosive growth across their national chain stores over the coming years. Then, a small health tech startup for whom we had been providing security and compliance documentation was able to use evidence of their cybersecurity posture to help them sell into the regulated enterprise market. Eight years later, the startup has continued to sell to enterprise clients, taking them from <$5 million to $50 million annually – and growing.
Cyber maturity can help GROW your businesses, especially in regulated industries.
An international model of cyber maturity and growth
A 2023 study from CYE measured and analyzed cybersecurity maturity across 11 different industries and 15 countries. The number one vertical in the world for cybersecurity is the energy sector, and the number one most cyber-mature nation in the world is Norway. You may have expected one of the world’s wealthiest nations – or one of the more regulated industries – to be at the top, but one of the most important things to remember about cybersecurity maturity is that it’s less about how much money you spend than how wisely you spend it. Is it any surprise that the number one industry in Norway is energy, and that revenue from crude oil and natural gas in Norway grew 126% between 2015 and 2022?
While Norway’s energy industry growth last year can largely be attributed to the war between Ukraine and Russia, the country was also able to avoid losses due to the same war – as they were a valuable target for disruptive cyber attacks from Russian threat actors. Strategic investments in cybersecurity protected the profitability and growth of their private-public energy sector. By anticipating this issue and bolstering readiness and resiliency, Norway showed the world what it means to grow top line revenue while avoiding bottom line losses. Isn’t that always good business? So, despite a host of outside factors, the correlation between security and growth is there.
What does maturity look like?
Similar to security frameworks like the NIST CSF (National Institute of Standards and Technology – Cybersecurity Security Framework), the CYE study defines “maturity” across elements it sees as essential to a strong program. While NIST and other frameworks may vary in how they categorize, the same key elements are largely present. CYE defines their maturity model as inclusive of seven (7) areas:
- Application-Level Security
- Policies, Procedures, & Governance
- Identity Management & Remote Access
- Network Level Security
- Security Operations Monitoring & Incident Response
- Sensitive Data & Information Management
- Servers, Network Equipment, & Endpoint Security
A score between 1-5 was given to each area, ranging from 1 (reactive/most immature) to 5 (proactive, measured, and continually improving/most mature). Regardless of the framework you use, it’s key to baseline your posture with a risk assessment, so you can measure progress over time.
Many organizations perform such assessments annually to track security improvements but may not know how to identify opportunities for growth. Working with the right team of experts can help you identify the right next steps to fuel business opportunities as you grow.
Why immature programs won’t fuel growth for your company.
Emerging cybersecurity programs typically lack security by design principles in their IT systems, putting them at a disadvantage. With minimal risk reduction baked in from the outset, security objectives are harder to achieve. Time efficiencies suffer, too, and teams tend to look for security technologies they can tack onto existing networks. Pieced-together technology stacks take more time to manage and coordinate, and manually handled compliance-documentation processes (still using spreadsheets?) slow everyone down.
Additionally, many organizations with immature programs may struggle to know how to spend the budget they do have for greatest impact. Without expert consultation to help you develop a security program aligned to your company’s business goals, the process can crawl along. This poor progress means little ROI to show for your efforts, which can lead to further delays during budget approval processes, as boards and leadership struggle to see progress in readiness and resiliency in the previous year’s spend.
The flip side: why having a mature security program is correlated with revenue growth.
An ATT security benchmarking study found that organizations with mature cybersecurity programs were 2.3X more likely than those with less mature programs to see a direct correlation between business-enabling IT initiatives and their cybersecurity efforts. Moreover, 57% of organizations with leading security programs said they exceeded their revenue goals by 7%.
In other words, having a mature security program doesn’t just remove barriers – it fuels growth. Cyber readiness and resiliency allows you to undertake IT projects that will open your organization to expanded lines of business and revenue generation.
Mature cybersecurity programs open doors for new business. More and more leading companies and investors are requesting security and compliance validations from new vendors and partners. If you are not yet getting validations such as risk assessments, certifications like SOC 2-Type 2, and penetration testing from certified security testers, you will not have documentation to provide the necessary assurances.
Today’s buyers and investors are more mature, recognizing that risks like a third-party supply chain attack can be costly to profitability and your brand — and can create legal fallout and potential fines due to noncompliance. They want assurances up-front.
Providing evidence of a more mature cybersecurity program can be a key differentiator when your prospective clients are deciding between two different providers, especially in regulated spaces like healthcare, finance, education, energy, and government contracting.
Cybersecurity steps taken today can determine whether you win tomorrow’s contract.
Not there yet? Hit the basics NOW.
“Organizations can achieve a superior maturity posture even without a large cybersecurity budget, if they plan and spend it right” (CYE 2023).
Last year, I had the pleasure of watching our President & Chief Information Security Officer at CISO Global, Ashley Devoto, speak to a large group of IT executives from primarily enterprise organizations. At one point, Ashley asked everyone to – in a moment of total honesty – raise their hands if they felt their organizations were still not executing as well as they could on the fundamentals of cybersecurity. The basics – MFA, identity access management, updated policies and procedures, etc. – not anything fancy like security monitoring with AI, or expensive data loss protection (DLP) solutions. Nearly everyone in the room raised their hands, with many thanking her afterward for the reminder that maturity doesn’t equal budget. Past the minimum threshold, how you spend it is often more relevant than what you spend.
We’re here to help.
CISO Global maintains a deep bench of experts across secure engineering, readiness & resiliency, cyber defense, strategy and risk, and incident response. If you would like help identifying gaps and opportunities in your cybersecurity program to support future growth, reach out to us today.