Generally, cybersecurity is thought of as a defensive strategy. Companies build defenses based on known vulnerabilities for future attacks and leverage forensic technology for clean-up in the wake of a breach. While defense is one hallmark of a sound cyber strategy, can cybersecurity be used offensively? Can we flip the old sports adage into "the best defense is a good offense?"
KPMG recently released our 2017 CEO Outlook Study of 400 US chief executives, which offers a roadmap of the three-year outlook of CEOs across the country. Take a dive into the report’s cybersecurity section and you’ll find an interesting statistic: 76% percent of US CEOs see investment in cybersecurity as an opportunity to innovate and find new revenue streams.
This statistic directly parallels insights that we derived from our 2016 KPMG Consumer Loss Barometer. We found that consumers would be more loyal and more likely to do business with a company that is more transparent about its cybersecurity offerings and provides clear communications about how the consumer would be protected, how consumers could better educate themselves on protecting their data/PII, and how the company would remediate any problems in the wake of a hack.
This means the tipping point of cybersecurity as a technology issue into a business issue has happened, both at the business/executive level as well as the consumer level.
So with more than two-thirds of CEOs saying that an investment in cybersecurity will open more doors to new business and innovation, how many of those CEOs are investing in cybersecurity in the next three years? Shockingly enough, the majority (44%) of CEOs say they will not be investing, or only maintaining their current investment in security technologies during this time. Even though 32% of CEOs state that they would be significantly investing in cyber security in the next three years, the majority won’t.
The response begets the question: Why would CEOs say that they know investing in cybersecurity will drive business by investing and then not invest? A few possible reasons come to mind:
- They invest in cybersecurity as part of their new design/build so it doesn’t look like a new and different cyber program while the cyber component is actually being addressed.
- They are not yet investing because they think maintenance of their programs (that they just spent several years hyperinvesting into) is all that is required.
- They are just missing the boat.
Obviously, there is no one-size fits all rational for this behavior because every company faces different problems. The good news is that we can now envision a future where cybersecurity will drive business growth, where security will be baked in on the front end of the product lifecycle, and where marketing campaigns will tout cybersecurity capabilities as one of the main drivers of the product.
Based on the no-room-for-error environment that these companies operate in, I see about 32% of those companies thriving and 44% scrambling to catch up.