Measuring Cybersecurity ROI Part 2: Cost Savings, Decreasing M&A Risk

Measuring Cybersecurity ROI Part 2: Cost Savings, Decreasing M&A Risk

The good news for frustrated CISOs is that cybersecurity also drives the sorts of revenues and efficiencies leadership looks for in evaluating ROI.


For starters, effective security means significant cost savings.


Efficiencies save time, and hence money, which is then available for other strategic initiatives. And cybersecurity, for many organizations, is a locus of significant inefficiency and waste.


A company’s security apparatus typically grows iteratively, with employees, tools and procedures added in response to changing budgets, threats and regulations. It is easier in the short-term to deal with emergent threats reactively rather than revisit the entire security strategy. Over time, this has led to an excessive number of tools, many of them point solutions, and this progresses into security teams that are overwhelmed by alerts, lacking a cohesive strategy and in a constant state of firefighting. (WeForum)


This sort of unintegrated, piecemeal approach tends to be inefficient and is often quite expensive. Our experience is that self-integration of a cybersecurity product is, on average, about 30% less efficient than if it’s implemented by an external cybersecurity integrator. Additionally, third-party integrators work with the technology a company already has in place, driving strong optimization efficiencies and reducing confusing, expensive (and less effective) vendor sprawl.


Overarching Cybersecurity ROI Blog Image


Second, cybersecurity dramatically reduces the risk associated with mergers and acquisitions.


Businesses must recognize the importance of cybersecurity due diligence in the M&A process. Due to a low standard for due diligence, several corporations find out about major cyber incidents only after an acquisition deal has gone through. In actuality, serious cybersecurity issues around compliance, data breaches, poor security architecture or the absence of incident response processes should be uncovered before finalizing a transaction.


In one notable case, an acquirer’s final offer was cut by several hundred million dollars as a result of belated revelations about security incidents. And a 2016 NYSE survey demonstrated more than half of respondents see security vulnerabilities as merger/acquisition deal-breakers. (CircleID)


Strong cybersecurity programs can supercharge the due-diligence process, though. Things to consider:


  • Ensure that a list of the target company’s digital assets, including infrastructure, software, hardware, and mobile apps, exists in a centralized database. This should include a risk score for each asset, based on information such as previous compromises, vulnerabilities, asset criticality, etc.
  • Gain a complete view of the target company’s third-party ecosystem. The board should insist that the M&A team evaluate the security protocols and assurances of each of the target’s partnerships to assess any risk they might introduce.
  • Make sure procedures are in place for governing software development controls for the technology that is being acquired as part of the deal. In addition, the acquiring company needs to examine how it will introduce any new technologies into its own organization and maintain compliance.
  • Execute [vulnerability scan and risk assessment] of the acquired company’s business and its assets, to characterize the business risk and the costs to remediate.
  • Ascertain there is appropriate investment in employee education and awareness. At a minimum, a cybersecurity training session should be held with staff from the new organization to outline security expectations and guidelines. Implore management to report on the program’s success and to follow up on its efficacy.
  • Decide in advance if the target company will be fully integrated into or operate separately from the acquiring company, and direct management to develop the security strategy accordingly. For example, many security teams prefer to isolate the new group under a “zero trust model” for several months as a temporary safeguard. (Optiv)


If an organization has a third-party risk management program, companies for potential acquisition can be assessed to determine cost and risk more effectively, balancing cost against growth (to get real ROI) and properly assessing the cost of money to borrow. Mature cybersecurity programs help you categorize risk and cost faster, giving you a decided edge on the competition.


In part 3, we will focus on specific ways companies have leveraged cybersecurity to create new innovations and business opportunities.




Doug Drew
Doug Drew represents more than 20 years of cybersecurity business, technical and leadership experience in roles ranging from incident response, PCI practice lead, security program consulting and staff augmentation CISO.