Skip to main content

Measuring Cybersecurity ROI Part 2: Cost Savings, Decreasing M&A Risk

December 11, 2019

The good news for frustrated CISOs is that cybersecurity also drives the sorts of revenues and efficiencies leadership looks for in evaluating ROI.

For starters, effective security means significant cost savings.

Efficiencies save time, and hence money, which is then available for other strategic initiatives. And cybersecurity, for many organizations, is a locus of significant inefficiency and waste.

A company’s security apparatus typically grows iteratively, with employees, tools and procedures added in response to changing budgets, threats and regulations. It is easier in the short-term to deal with emergent threats reactively rather than revisit the entire security strategy. Over time, this has led to an excessive number of tools, many of them point solutions, and this progresses into security teams that are overwhelmed by alerts, lacking a cohesive strategy and in a constant state of firefighting. (WeForum)

This sort of unintegrated, piecemeal approach tends to be inefficient and is often quite expensive. Our experience is that self-integration of a cybersecurity product is, on average, about 30% less efficient than if it’s implemented by an external cybersecurity integrator. Additionally, third-party integrators work with the technology a company already has in place, driving strong optimization efficiencies and reducing confusing, expensive (and less effective) vendor sprawl.

Overarching Cybersecurity ROI Blog Image

Second, cybersecurity dramatically reduces the risk associated with mergers and acquisitions.

Businesses must recognize the importance of cybersecurity due diligence in the M&A process. Due to a low standard for due diligence, several corporations find out about major cyber incidents only after an acquisition deal has gone through. In actuality, serious cybersecurity issues around compliance, data breaches, poor security architecture or the absence of incident response processes should be uncovered before finalizing a transaction.

In one notable case, an acquirer’s final offer was cut by several hundred million dollars as a result of belated revelations about security incidents. And a 2016 NYSE survey demonstrated more than half of respondents see security vulnerabilities as merger/acquisition deal-breakers. (CircleID)

Strong cybersecurity programs can supercharge the due-diligence process, though. Things to consider:

  • Ensure that a list of the target company’s digital assets, including infrastructure, software, hardware, and mobile apps, exists in a centralized database. This should include a risk score for each asset, based on information such as previous compromises, vulnerabilities, asset criticality, etc.
  • Gain a complete view of the target company’s third-party ecosystem. The board should insist that the M&A team evaluate the security protocols and assurances of each of the target’s partnerships to assess any risk they might introduce.
  • Make sure procedures are in place for governing software development controls for the technology that is being acquired as part of the deal. In addition, the acquiring company needs to examine how it will introduce any new technologies into its own organization and maintain compliance.
  • Execute [vulnerability scan and risk assessment] of the acquired company’s business and its assets, to characterize the business risk and the costs to remediate.
  • Ascertain there is appropriate investment in employee education and awareness. At a minimum, a cybersecurity training session should be held with staff from the new organization to outline security expectations and guidelines. Implore management to report on the program’s success and to follow up on its efficacy.
  • Decide in advance if the target company will be fully integrated into or operate separately from the acquiring company, and direct management to develop the security strategy accordingly. For example, many security teams prefer to isolate the new group under a “zero trust model” for several months as a temporary safeguard. (Optiv)

If an organization has a third-party risk management program, companies for potential acquisition can be assessed to determine cost and risk more effectively, balancing cost against growth (to get real ROI) and properly assessing the cost of money to borrow. Mature cybersecurity programs help you categorize risk and cost faster, giving you a decided edge on the competition.

In part 3, we will focus on specific ways companies have leveraged cybersecurity to create new innovations and business opportunities.

Sources


    Doug Drew

By: Doug Drew

See More

Related Blogs

July 31, 2019

Cybersecurity Lapses Can Derail the M&A Train

Typical M&A concerns include overpaying for an acquired company and assimilating cultures. Executives often spend less time worrying about cybersecuri...

See Details

July 24, 2019

Closing the People, Processes and Technology Gap: How Innovation Can Strengthen Your Cybersecurity Program

Learn how to achieve the right combination of people, processes and technology to evolve your cybersecurity program.

See Details

December 23, 2014

Total Cost of 0wn3r$h!p

It is becoming both difficult and boring to keep up with all of the breaches hitting the headlines these days. It is difficult because of the ever inc...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.