author photo
By Bruce Sussman
Tue | Oct 29, 2019 | 8:58 PM PDT

Looking for ways to show the return on investment of your cybersecurity program?

Here are some useful ideas.

(ISC)2 report on ROI of cybersecurity

A new research paper reveals results of an (ISC)2 survey about cybersecurity during mergers and acquisitions. Poor cybersecurity can derail M&A plans, and strong cybersecurity can boost the likelihood of successful M&A.

Here are a few key paragraphs from the report:

"In mergers and acquisitions (M&A) negotiations, buyers look closely at factors such as a company's balance sheet, intellectual property and market share. How well a company performs in each of these areas can make or break a deal, but what some potential sellers may not realize is that another factor has become just as important in M&A activities—a company's cybersecurity program.

Cybersecurity audits are now essential to the M&A process: 100%
of respondents in an (ISC)2 survey of executives and advisors involved in M&A activity say the audits have become standard practice. And what's more, an organization's cybersecurity tools and practices, and overall security posture, can determine the fate of a deal, the survey found.

Buyers also take into consideration how a company has handled security breaches in the past, and in most cases that will affect a company's selling price. The survey shows that buyers are forgiving to companies that demonstrate they took the right steps to address past breaches, but less so when it comes to previously undisclosed security breaches.

Furthermore, about three quarters of respondents (77%) have made
recommendations on whether to proceed with an M&A deal based on the strength of the target company's cybersecurity program. So even if a company runs an efficient supply chain and offers great products and customer service, the absence of a robust cybersecurity program is a problem.

There is inherent value in cybersecurity tools and practices, and any decision-maker considering M&A activity must not ignore this fact."

ROI of cybersecurity: some customers demand security

Another idea for demonstrating security ROI is to ask yourself: are any of our clients demanding answers about our cybersecurity or privacy efforts? If so, there is something you can point to as the return on investment for cybersecurity.

For example, GE Aviation uses sound cybersecurity as a screening tool for vendors. We learned about this from GE Aviation's SVP & Global CISO, Deneen DeFiore, during her keynote presentation at SecureWorld Cincinnati.

"Aircraft have become flying networks," she said. "Root of trust, authentication, supply chain security is all crucial. We do rigorous third-party evaluations."

How do you justify a cybersecurity budget?

In addition to showing the ROI of cybersecurity, you might be looking for executive leadership to approve your cybersecurity budget.

Here is a fantastic list of possible ways to get cybersecurity spend justified, from CISO and CPO Mike Muha, who is on the Advisory Council for SecureWorld Detroit:

[RESOURCE: (ISC)2 report, "The ROI of Sound Cybersecurity Programs"]