Over the last few months we have all seen the economic bounce back from Covid checked by some harsh economic contractions as the world reels from the Russian invasion of Ukraine. Companies are faced with rising inflation which is driving interest rates up which in turn is impacting consumer demand, meaning we are ALL under pressure to deliver more (with less) while demonstrating high returns on investment.
Speaking to clients the question they are all too often faced with is what should the budget priorities be? Sadly, when it comes to investing in third party cyber risk management - because it is not visible until something goes wrong – many companies perceive this as expense.
If you are a CPO, CISO or third party risk manager defending your budget, there is a more compelling way to see the payback and that is by directly correlating the value to what the CFO’s is really interested in - ROI!
As we know we are in a significant year for cybercrime, with breaches making the news far too often and the threat of State Actors increasing.
According to a study by Forrester, 60% of security incidents will result directly from issues with third parties.
Currently, we believe that every company connected to the internet, regardless of size, has a duty to invest in cybersecurity. Therefore we need to understand its value and use compelling business cases to justify the investment during these challenging times.
Though adjusting current practices may not be easy, clear communication about the importance of bona fide third party cyber risk management can encourage your executive team and the board to support this important activity.
Consider the following.
- Load all your third parties and suppliers into Darkbeam and run an audit. Set-up refresh for every week or month and start to understand which third parties pose you the greatest exposure. If there is reason for concern, simply send them a link to the report and action the recommendations.
- Not all third parties and suppliers are equal. Recognise those that are more critical than others and or hold your sensitive business data. Monitor these more regularly as these pose a great threat to your business.
- Although this may have been time consuming in the past, Darkbeam has automated the entire process. It takes minutes to set-up and run.
It is key to set the right expectations from the beginning - cybersecurity is not a product or a service - it is a culture. Collectively shielding a company from losses is the most powerful way for it to have any financial benefit.
The trick is to speak in the language of numbers. For example, if you can explain how a $1 investment would stop an event that could cost $10 to the company, you can get the management to vote on your side.
Formulate the Return on Investment (ROI) - A number of direct savings can be measured based on the size of your company, using the budget elements of labour savings defined by full-time equivalent/(FTE) cost savings per year, and the reduction of costs associated with software systems and services, to aid the cybersecurity management process.
We have found the direct savings may amount to $100,000–150,000 per annum for smaller organisations and the number for larger, multi-unit enterprises usually falls within the $200,000–300,000 range.
One startling statistic from Ponemon Report is that “Third parties are spending 15,000 hours a year on completing assessments, at an average cost of $1.9m annually.”
You can also take into account the indirect costs of FTE activities, including:
- Activities related to compliance with data security requirements.
- Partnership with third-party security vendors.
- Reduction in cyber breach insurance cost.
- Reselling the cyber risk management services to consumers.
- They add up to an additional value of four to six FTEs and savings/new revenue in the $100,000+ range.
Presenting Your Business Case
So, you have made a substantial, compelling business case for your organization. Now, you need to introduce your proposal to senior management.
Cost Avoidance Calculator: This model enables clients to scenario plan and understand the all the necessary variables from which a trusted understanding of the potential value.
Total Cost of Ownership Model: Looks at the hard productivity and efficiency data that can be modelled against cost.
Conclusion
All-in-all, the trick to submitting a solid business case is to arm yourself with the right notes. Align your investment plan with the needs, risks, and compliance requirements of your business. Also, knowing your organisation's needs would make strategic planning simpler and lead to more equitable investments.
BUT having modelled the investment trust will increase and the and commitment increases as the invisible become visible.