What are the financial performance benefits of strong cyber governance?
In a blog series dedicated to the SEC’s new rules, we haven’t talked much about the connection between cybersecurity and the financial performance of companies. Companies required to adhere to the SEC’s rules are those raising capital through the stock market, so it makes sense that we talk about the connection between security and shareholder return.
In a survey conducted by Diligent Institute and Bitsight on over 4,000 mid-to-large-sized companies, researchers looked at the level of security expertise companies have on their boards and subcommittees. Using this information, paired with data on the company’s overall security posture, they categorized companies into two groups: Basic Security Performance Range and Advanced Security Performance Range. These categories were then assessed for their total shareholder return (TSR) over three and five years.
Over three years, companies in the advanced security performance category saw a 67% TSR, while those in the basic performance category saw only a 14% return. Although these two metrics aren’t proven to be directly linked, I would like to address some possible ways that better security practices could improve financial performance, and then explore how companies can enhance their performance through security improvements.
How can cyber resilience improve an organization’s overall performance?
The survey highlighted that even if a company claimed to have cyber expertise, it was often very siloed and information was not shared with other board members. To demonstrate what can be done, researchers looked into companies that had subcommittees of their board dedicated solely to cybersecurity. Having these committees allows more time to be allocated directly to understanding cybersecurity risks, which equips the committee with actionable information. This plays a huge part in understanding the financial and operational implications of these risks, which translates to more productive conversations with the board about how to take action and allocate security budgets.
What are some challenges with lasting cyber resilience?
Research published by the Harvard Business Review highlighted a concerning statistic: only 47% of board members interact regularly with their company’s CISO. This makes the task of managing cyber risks much more difficult. Security is an ongoing issue, so the lack of regular conversations is concerning to say the least. Boards need to have a strong understanding of what is going on if they are to weigh in on security budgets and investments effectively.
The journey to strong cyber resilience begins today.
We’re now faced with the question of how an organization can tackle the challenge of building cyber resilience that lasts. In the Harvard Business article mentioned above, they talk about boards focusing too much on the success of past investments, and less on the need for future investments. To address this, they highlight the need to talk about prioritizing and addressing risks.
When it comes to assessing and prioritizing the mitigation of your organization’s largest risks, Axio recommends the use of Cyber Risk Quantification to translate risks into business terms which allows organizations to assess the effectiveness of both past and future security investments. This will allow your organization to quantify (in dollars) your organization’s largest cyber risks and see how different control initiatives will lower your risks. We know the challenge of being confident in your cyber control selection, so we build reporting to show the money…and the value of your risk reduction.
Want to talk with an expert on what this would look like for your organization? Let’s get a conversation started.
Register for our webinar: Critical Cyber Concerns for Healthcare Providers in 2024