BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
CIOs are often asked to quantify the value of technology investments, but the CIO of an East Coast company was caught off guard by one such recent request and whom it came from. "The marketing chief wanted to know if we should use our security and privacy measures as a competitive differentiator to market our business and services," said the CIO, who is still in the midst of his research and asked not to be named.
This CIO came across one case study of an ROI linked to a security purchase, and he is taking it with a grain of salt. It comes from an e-commerce consulting firm's case study of US Cutter, a wholesale provider of vinyl cutters and supplies, which the study claimed reaped an 11% improvement in overall sales and a 52% increase in sales from paid search by spotlighting the Norton Secured Seal throughout the company's e-commerce site.
Another CIO took it upon himself to create a case study of sorts, featuring his own organization as the unlucky subject, to stress that business, reputation and, yes, competitive differentiation will be lost without the right information security program in place.
"I began my security presentation with my own title, picture and the headline FCC Hacked! on the front page of a mock Washington Post," said Robert Naylor, former Federal Communications Commission (FCC) CIO who now serves the Washington, D.C., intelligence community as a private cybersecurity expert.
"I then asked the FCC chairman and everyone else in the room if this is the legacy they want to leave behind," Naylor said. At the time, the iPhone 5 was coming out, and the FCC had received the schematics for the new phone well before anyone else. Breaches such as the one Target suffered from have serious consequences for consumers and the company itself, he said. "But if a government agency is hacked, it could damage the country's economy -- if a foreign government saw that IP [intellectual property] before our own companies and started making iPhone cases, cables."
As the breaches and headlines mount, many companies are realizing that a strong information security program is a competitive advantage. But as CIOs are discovering, proving it is not so easy. The lack of solid case studies showing the link between security and business value is not likely to be remedied anytime soon. Companies that do use security as a differentiator don't really want to share their secrets. Plus, each business' security threats and remedies are unique. CIOs and security experts who have successfully argued for more investment in security, however, all seem to agree on one point: Be prepared to show, not tell, the business how a security breach can hurt the bottom line.
Naylor had already experienced the consequences of stolen IP as the former IT executive at a pharma company. A foreign competitor stole the formula for a new drug approved by the Food and Drug Administration. "They produced a knockoff -- and they could because it was already approved by the FDA -- and our revenue stream [for that drug] was cut from $6 billion to $3 billion while we fought to protect the patent rights," he said.
Robert Naylorformer FCC CIO
And this happened offline -- meaning it wasn't stolen as a result of a cyberattack. "Data that is available online has grown exponentially, while the security investment never reflects this growth," Naylor said. Even worse, CIOs don't know where to focus their limited investments -- on SQL injection website attacks, phishing, APTs [advanced persistent threats], botnets and so on -- because the threats are so widespread."
Naylor steers his clients to technology that automatically quarantines a threat, sends alarms to the appropriate people and conducts analysis of the threat. This technology, being developed by a startup (which he cannot name), quarantines threats by analyzing patterns and behavior against pre-established network patterns.
Security program brings revenue to the bank, literally
When Sandy Lambert was chief information security officer (CISO) of Citibank in the late 1990s, information security was viewed as a cost of doing business. But like Naylor, she also grasped the power of presentation to argue the business value of security measures. During a pitch meeting with a potential client, she gave an overview of Citibank's information security program, which stressed security awareness training at all levels of the company, an advanced encryption program and digital signatures.
"Each bank bidding on the contract had a security presentation, but the client told me afterward that our security presentation and measures were a major factor in us winning their business," said Lambert, managing director of security consulting firm Lambert & Associates LLC and founder of ISSA. "Infosec brought revenue to the bank."
The 'cybersecurity as competitive differentiator' paradox
By the time David Cullinane left the CISO post at eBay in 2012, his information security program was giving back $10 in risk reduction for every dollar spent. And he is one of a growing number of security professionals willing to share information that shows how security can confer a competitive advantage.
More on preventing security threats
Security luminaries talk underestimated threats
Fraud prevention tactics from Equifax fraud expert
Security controls that head off cyberthreats
"Security can and should be a competitive differentiator, but that's a double-edged sword," said Cullinane, now founder and CEO at SecurityStarfish, a consulting firm that produces threat analysis reports and remediation techniques to reduce risk based on data it collects and analyzes from its Fortune-ranked clients. Companies using security as a competitive advantage don't want to broadcast their security measures. "They say, 'Well, I know what I need to know, and that's a competitive advantage for me.' That attitude is leaving a lot of companies exposed, and we have a responsibility to share information in this space."
What Cullinane did to consistently get eBay to give him more security dollars "wasn't rocket science," he said. The first step was to tie security directly to business goals and core business functions, and he did so through a visual representation. He developed a nine-square diagram of risks, with each risk square assigned a number representing its value to the business. The diagram also showed the probability of occurrence for each risk and the cost to the business if it happened. "The diagram showed that the cost would be substantial, and they were able to see where the investments would place us on the risk curve," he said.
The caveat? The nature of eBay's business put it at more cyber-risk than, say, a Niemen Marcus, he explained, so he points those with fewer dollars to invest in cybersecurity in the cloud. "Amazon Web Services is PCI DSS-certified, for example, so move all that customer data to them and they'll do the security work for you."