Between 2015 and 2025, the global financial impact of cybercrime will have grown by 250% to $10.5T USD, more than twice the size of the entire economy of Japan. Even if cybercriminals capture a small fraction of that $10.5T USD, those are strong financial gains for a relatively new industry of criminal enterprise.
According to Interpol, cybercrime tops the list as the world’s leading crime threat, and 70% of those in the industry believe it will continue to grow in the next three to five years. Cybercrime has become more lucrative than drug trafficking. Backed by organized crime syndicates and state-sponsored attackers who possess an alarming level of sophistication, the “hacker in a hoodie” is gone and has been replaced by a truly dangerous adversary. An adversary whose power increases as their financial impact grows.
Only 10% of organizations reported that their cybersecurity budgets increased in 2022. And while overall cybersecurity spending is predicted to increase by 11% to $188B in 2023, it is only a fraction of the over $8T predicted cost of cybercrime.
How might we, as a cyber community, take on this challenge?
We must empower our people to be change agents. This includes developing our cybersecurity workforce from technical specialists to multi-faceted leaders who understand the how and why of an organization and can influence those around them.
This change starts at the top. Chief Information Security Officers (CISOs) need to change their mindset that cybersecurity is a cost center, and instead view it as a profit center. As a cost center, cybersecurity is seen as overhead. Your budget is to be managed as part of the cost of doing business. Shifting to a profit center mentality, cybersecurity becomes a business driver – accountable both for spending and growth, or more specifically, savings through risk mitigation.
Reframing the position of your cybersecurity team from a cost center to a profit center will influence how your workforce is perceived within the organization. More importantly, it will change their mindset about how they contribute to the overall business strategy.
Suddenly, your SOC is celebrated as they repel threats. That risk mitigation strategy turns into currency that can be reinvested to grow the business. Digital Forensics and Incident Response (DFIR) teams uncover lost revenue to add it back to the balance sheet with each deep dive into the organization’s digital footprint. Offensive Operations, your Red Team warriors, assume a similar position to business development as they actively uncover new opportunities to protect.
To move from a cost to profit mindset, CISOs need to have a seat in the boardroom and be partnered with the Chief Revenue Officer and Chief Marketing Officer. CISO’s need to create metrics that show the effect of repelled attacks against both bottom- and top-line revenue to show what was saved and gained.
In the post-2020 landscape, data security is now seen as a lever of customer loyalty. Nearly three-quarters of consumers rank data privacy as a top value and four out of every five would stop engaging with a brand online following a data breach. CISO’s need to reframe this narrative as a profit center: a strong security culture actively increases customer lifetime value, a metric of organizational profitability. Cybersecurity teams drive top-line revenue by confirming brand trust and reduce bottom-line expenses by lowering customer acquisition cost and increasing productivity. The profit center mindset works. So, how do you prove it to your Chief Financial Officer (CFO)? By explaining that threat actors use the profit center mindset when identifying their next target. No CFO will argue with a 500% return on investment. CISO’s must be prepared to have these strategic conversations.
SANS Cybersecurity Leadership curriculum such as MGT512: Security Leadership Essentials for Managers is designed for technical managers seeking to advance their business acumen.