How organizations can derive value from security investments and enable business growth

When thinking about implementing security systems and hiring talented security professionals, it’s easy for business leaders to focus on the costs involved. This isn’t an irrational concern, either. According to CW jobs, the salary bracket for cybersecurity professionals ranges from £52,500 per year to £77,500 per year depending on role and experience, with the average salary in the UK working out at £62,500. The costs associated with cybersecurity software can also quickly rack up, even if they seem to start small.

There is a different perspective to take into account, though, which is to think of cybersecurity spending as an investment. With this approach, businesses can assess how cybersecurity expenditure can add value and enable business growth.

Here are three ways in which investing in cybersecurity can do exactly that.

A successful cyber attack will be expensive

Let’s start with perhaps the most concrete way investing in cybersecurity can add value to businesses. Investing in qualified cybersecurity professionals, partners, and software makes it less likely a business will be breached than if they had minimal defenses in place.

In the 2024 edition of its annual Cost of Data Breach report, IBM found that the global average cost of a data breach was $4.88 million (£3.71 million) – a 10% increase from the previous year. Of this $4.88 million, $1.47 million was attributed to lost business, $1.6

While these figures may already look big, they only deal with direct costs and don’t incorporate any fines that may have been issued under legislation like GDPR or the California Consumer Privacy Act. Business decision-makers should certainly bear this in mind when thinking about where and whether to invest; as any fines that are issued take into account whether the breached organization had adequate defenses in place.

Trustworthiness builds reputation

There are many components to trustworthiness in business. Much of this will come down to stalwart ideas like delivering on time and within budget, offering quality products and services, being responsive to clients’ needs, and so on. Increasingly, however, the robustness of an organization’s cybersecurity defenses is also playing a role.

Supply chain attacks, which see malicious actors try to gain access to their primary target via its suppliers, are an increasing problem. According to law firm Pinsent Masons’ 2024 annual cyber report, in over 30% of instructions it received in relation to cybersecurity incidents the root cause was a third-party or supply chain attack.

These attacks can take several forms. For example, attackers may gain access to one company’s systems and use it as a launchpad for a phishing campaign, as happened with Wipro in 2020. Alternatively, they may inject malicious code into a software vendor’s products, which then operate as a secret entrance for the hackers to enter customers’ systems, as with the SolarWinds hack, also in 2020.

Whatever the method, if an organization is found to be the root of a supply chain attack it could be very bad for business. Being able to minimize that risk – and show that you have minimized it – with appropriate investments in cybersecurity makes companies a more attractive prospect to work with. This in turn brings with it the opportunity for new relationships and business growth.

Ensuring compliance with legislation

GDPR and the California Consumer Privacy Act aren’t the only pieces of legislation concerned with how organizations conduct their cybersecurity affairs – and the potential penalties they will face if they don’t take it seriously enough.

The EU’s Network and Information Security 2 (NIS 2) directive is a tough set of rules that govern how companies operating in critical sectors such as utilities, healthcare, and financial services run some elements of their cybersecurity.

“NIS2 has introduced it as one of the key focus points. Individual enterprises will be responsible for addressing cybersecurity risks in their own supply chains, as well as within supplier relationships,” explain Yannick Scheelen, Koen Machilsen, and Andy Deprez, analysts at consultancy EY.

They continue: “This requirement might indirectly influence many suppliers who are not in the scope of the new NIS2 Directive, but they might deliver services or products to an in-scope NIS2 entity.

“So, even if your organization is not in scope, it might still have an impact depending on the services and sector.”

British companies aren’t directly subject to NIS 2, as the UK left the EU before NIS 2 was conceived. If they provide services to entities classified as essential or important by an EU member state, however, they will have to come in line anyway or risk losing customers as the penalties for non-compliance are so heavy.

For important entities are up to €7,000,000 ($7,750,000 approx) or at least 1.4% of global annual turnover – whichever is higher. For essential entities, those figures rise to €10,000,000 ($11,000,000) or at least 2% of global annual turnover. No business relationship, no matter how long-standing, will weather those potential fines. Thus investing in cyber security to ensure compliance makes good business sense for keeping existing customers and attracting new ones. It also has the benefit of reducing risk for the supplier itself.

Hiring cybersecurity personnel, as well as buying cybersecurity systems, and implementing training can be expensive, but not doing so can be even more costly. Organizations must take the opportunity to invest in this area to mitigate the risk of a breach and maximize the potential for business growth.