Cybersecurity: The Operating Expense that Makes You Money


When I went to college, I, like many of you, had to lay down a lot of cash for a lot of things. Tuition. Books. A computer. Even those late-night pizzas and ramen noodles.

But, in the end, those expenses were worth it, because it established a foundation for me personally, and for my career. It was the baseline that made my future possible. I think cybersecurity is a lot like that.

Honestly, it can get a bit overwhelming for all those businesses out there, being asked to pony up for yet another “must-have” cybersecurity tool. I get it. But, as you’re getting out the corporate credit card for your next cybersecurity upgrade, I’d urge you to stop thinking of that spend as just another overhead expense. Instead, why not flip that assumption upside down?

Have you considered all the ways that your cybersecurity program might actually be making you money?

Look, I know most people roll their eyes at the whole “you have to spend money to make money” argument. But stick with me here. Because, in my experience, there are three very concrete ways that a rock-solid cybersecurity program can save you money in the end. Put simply, cybersecurity:

  • Saves money through protection
  • Makes money through compliance
  • Makes money through reputation

Let me give you an example. Imagine that a company that manufactures wood carvings invests in a cybersecurity program. Their security program is primarily about protection and reputation; they are protecting their systems as they sell things, and they are maintaining a reputation for being secure, which allows clients to trust them. Take that example to a manufacturer that makes parts for the Department of Defense, and they’ll also have cybersecurity regulations requiring them to be compliant. The benefits vary for every business. But the foundational role cybersecurity plays in an organization stays the same.

Let’s break it down.


Saving Money

Cybersecurity programs, at their root, keep you from having business-ending cyber-attacks. And it’s not too difficult to imagine what those look like…

Ransomware that steals data that you might need to continue operations. Viruses that cause the hard drive to essentially melt. Phishing emails that trick a CEO into giving up their password to their email or other accounts that ruin the reputation of the organization.

Tools like Endpoint Detection Response (EDR), internal vulnerability scanning, phishing scanners and anti-virus software can help you build out a strong defense. But if the response to your budget request for these items is “budget restriction,” I’d urge you press your case. After all, the investment is far less than what your organization would lose in the event of a breach.

The right cybersecurity program will save you money in the end. But saving money isn’t why you wanted to read this article though. You want to know about making money with cybersecurity.


Making Money through Compliance

Let’s pick on what a senior executive recently referred to as “an easier compliance”: Payment Card Industry Data Security Standard, or PCI-DSS. The controls for this compliance can usually be mapped to NIST frameworks, and several cybersecurity professionals compared it to the NIST 800-171 framework, especially with the additional requirements that went into effect. There’s a monthly penalty fee associated with organizations that can’t maintain this compliance. Furthermore, the average consumer has started avoiding businesses that don’t look secure, fearing that their credit card information and other related data may be stolen.

This means that organizations that invest in meeting this compliance are granted a reputation for being secure, and that fosters trust and loyalty with consumers.

What about CMMC or NIST 800-171 compliance for government contract industry? If an organization meets this compliance, they get to keep their contract. An organization may even be granted additional funding or contracts because they are showing a higher Operational Maturity Level (OML).

Instead of running away from compliance, organizations may want to start moving towards it, embracing it as another function of productivity. Purchasing a computer is still an expense. Purchasing and establishing a Vulnerability Management Program may actually be worth thousands or millions of dollars, and it certainly doesn’t cost that much.


Making Money through Reputation

As a Managed Services Provider, our security practices are sometimes seen as excessive or exhausting. We focus on maintaining SOC2 compliance, building off higher end frameworks, and managing downstream compliance requirements.

All that preparation comes with the territory, though. Downstream compliance for a Managed Services Provider is constant. We might be helping a client that owns medical facilities and therefore adheres to HIPAA, or a law firm having to work with NIST 800-53 framework since one of their clients is incredibly large and a well-known household name in the world.

I encourage our clients to take their cybersecurity programs just as seriously as we do. Once organizations begin to focus on cybersecurity as the main course and not a side order in their IT spend, they’ll increase their profits and their reputation. And as a result, they’ll get new business opportunities. It really is that simple.


Taking Your Next Step

I like to think that we here at Integris are just like you are, working every day to have the kind of reputation that draws customers to your doorstep. We are known for being a people-first organization that focuses on cybersecurity as a specific and native part of what we do as a provider. New business comes to us through a variety of ways, but we always like to talk with prospective clients about their security along with all the other services they need.

There are a variety of industries that trade on their reputation and gain business and profitability because they are known for being “good.” To be good doesn’t always mean being the fastest, or the strongest. In the case of cybersecurity and having a good reputation, being good means being thorough and reliable. It means protecting yourself and placing a value on your assets and operations to a level where you’re willing to defend them. Defending yourself shows that you think you are valuable, and that makes organizations that you want to do business with think you are valuable as well.

Increase your business, your opportunities and your reputation with cybersecurity. I promise you, you won’t regret it.

Nick McCourt is a vCISO, CISSP at Integris.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...