If you work as a CISO, one of the key aspects of your job is to speak the business language and demonstrate how security contributes to the success of the company.
Below is a humble attempt to go beyond "if you don't do this, you'll get hacked/fined, so give me money" that will hopefully be helpful to fellow CISOs and anyone who has to sell the idea of cybersecurity.
Note that risk reduction remains the key argument in the executive conversations, and contextual Cyber Risk Quantification (CRQ) is probably the best way to provide business-relevant numbers on the state of your residual risk and to justify the costs.
Please feel free to submit PRs and add more links and data to this collection.
- The average savings for organizations that use security AI and automation extensively is USD 1.76 million compared to organizations that don’t [IBM, 2023]
- One of the best product-specific ROI calculation is done using Forrester’s Total Economic Impact™ methodology. A few examples:
| Product | ROI | Benefits PV | NPV | Payback |
|---|---|---|---|---|
| Palo Alto | 247% | $40M | $28.5M | 6 months |
| Cycognito | 490% | $15.88M | $13.19M | 6 months |
| KnowBe4 | 276% | $1.1M | $826K | 3 months |
| Cisco Duo | 159% | $5.26 | $3.23M | 6 months |
- Organizations that closely align their cybersecurity programs to business objectives are 18% more likely to increase their ability to drive revenue growth, increase market share and improve customer satisfaction, trust and employee productivity [Accenture, 2023]
- Cyber-resilient CEOs financially outperform their peers, with 16% higher incremental revenue growth, 21% more cost reduction improvements and 19% healthier balance sheet improvements [Accenture, 2023]
- 61% of tech CEOs view their information security as a competitive advantage. More than half (57%) say their cyber security strategy is integrated with their growth strategy [KPMG, 2022]
- Investing in cybersecurity has successful examples of positively affecting all five Porter's forces in creating competitive advantage [MIT Sloan, 2022]
- Companies with strong cybersecurity outperform the market by up to 7% [Bitsight, 2020]
- Publicly traded companies suffered an average decline of 7.5% in their stock values after a data breach, coupled with a mean market cap loss of $5.4 billion. On average it took 46 days to recover their stock prices to pre-breach levels, if they were able to do so at all [Bitglass, 2019]
- Security resilience is top of mind among executives; 96% of them consider it highly important to their business. Organizations that foster a culture of security see a 46% increase in resilience [Cisco, 2023]
- Organizations that embed key cybersecurity actions into their digital transformation efforts and apply strong cybersecurity operational practices across the organization are nearly 500% more likely to experience more effective digital transformations than those that don’t [Accenture, 2023]
- 37% of senior leaders see improved profitability as the top commercial advantage of increased digital trust [KPMG, 2023]
- 87% of global CEOs say they are investing in cybersecurity to build trust with customers [PWC, 2018]
- 77% of tech CEOs believe a strong cyber strategy is critical to engendering stakeholder trust [KPMG, 2022]
- 40% global consumers will increase their online spend at least 20% if they receive certain cybersecurity and data privacy assurances from retailers [Capgemini, 2018]