Skip links

Cybersecurity—an essential element to every business decision

Companies with an effective cyber-risk culture understand there is a strategic balance to be struck between activities that generate revenue, the associated IT expense and managing cyber-risk.  Everyone understands how to get to the bottom line:  Revenue – Expense = Net Income.  Unfortunately, there can be a tendency to focus on generating revenue and making the assumption we can control expenses and manage risk so the math makes sense in the end.   This is a bad assumption given the spectrum of potential outcomes that could result from a successful breach and the uncertainty in predicting the full costs of a compromise.

This model highlights the balance that must be achieved.

blog_insert

Given the uncertainty of predicting the cost of a successful breach, it is important that any strategic decision concerning a new line of business, a significant merger or acquisition (M&A) or an internal reorganization or consolidation, be based on a simple model that highlights the relationship between revenue generating activities, associated IT expenses and cybersecurity implications.  The challenge of working through this model is two-fold.  First, is the uncertainty associated with the potential costs of a successful cyber-attack and second, is that in most companies there is no single individual or even functional office that has the experience, expertise and credibility to decide how to balance resources, and therefore risk, across these three areas.  Estimating potential revenue and even IT expense is relatively straight forward.  The challenge comes when the business unit lead is unable to understand the cyber-risk implications.  At that point, he may rely on the CIO and the CISO to just “make it work.”  Unfortunately, the CIO and the CISO may not be in a position to understand all of the business implications resulting from decisions made to provision and secure the environment. The result can be a situation where the business unit and the CIO and CISO cannot agree on how this all comes together and based on the business leaders influence, security concerns are considered nominal and the initiative goes forward incurring significant unacknowledged risks to the company. 

A recent example of how a company failed to properly balance the potential for revenue generation against the risk of not accounting properly for cybersecurity was highlighted by a recent New York Times article, Defending Against Hackers Took a Back Seat at Yahoo Insiders Say, (Sep 28, 2016).  The article highlights Yahoo’s internal deliberations regarding the tension between enhancing their customer experience in order to generate revenue against the requirements to provide better security in response to hacks against a number of tech companies in the 2010-time frame.  According to the article, security was viewed as a drag on product development and revenue generation and, as a result, Yahoo did not take important steps to increase the security posture for their customers.  The result was a major hack that exposed perhaps as many as 500 million records.  The article also describes the approach Google took when faced with the same challenge.  Google prioritized security even at the cost of customer convenience and so far, that has worked.  Customers are embracing the use of things like multi-factor authentication using Google Authenticator and the company, as far as we know, has not suffered a serious breach.

This example highlights how cybersecurity has to be viewed through three lenses.  First, as an expense to control, second as a risk to be managed and third, as an asset that can support revenue generation.  The concept of expense is obvious as cybersecurity has a limited budget just like everything else.  It is clearly a risk to be managed.  Our ability to operate in cyberspace will be continually challenged and we cannot afford to disconnect from the internet, so we must manage the risk.  But, we should also consider how cybersecurity can support revenue generation.  Increasingly consumers are unwilling to do business with companies that have suffered a significant breach and cyber-risk due diligence is part of every partnership or M&A discussion.  Certainly in this example, Google appears to have been able to leverage its investment in cybersecurity into building customer confidence and generating revenue.

Yahoo or Google—who made the right strategic business decision?