Information security professionals know data security is important for organizations of all sizes ― but how can you measure that importance? According to Cisco’s Data Privacy Benchmark Study 2020, investing in data security pays measurable and significant dividends in terms of both reduced loss from data breaches and improvements to key business practices. Data security can also make a business more attractive to both customers and investors.
Cisco’s study surveyed 2,800 security professionals in 13 countries. The bottom line was readily apparent ― good data security is indeed good for business.
How Much Should You Spend on Data Security?
The amount a company spends on data security is dependent on the size of the company. Cisco organized companies by number of employees and discovered that companies with 250 to 499 employees spent an average of $800,000 per year on data security. Companies with 500 to 999 employees spent $1.2 million, while companies more than twice that size ― with 1,000 to 9,999 employees ― spent just a little more, at $1.3 million. The largest companies, with 10,000 or more employees, spent $1.9 million annually.
For all companies surveyed, the average yearly expenditure on data security was $1.2 million. Putting this in perspective, Gartner Inc. says total worldwide spending on information security reached $124 billion in 2019.
Significant Returns on Data Security Investment
Is this spending on data security worth it? The short answer is “yes.”
Of the organizations surveyed by Cisco, more than 40% said they saw financial benefits at least twice that of what they spent on data security. Smaller companies with 250 to 499 employees saw a yearly benefit worth $1.8 million. For companies with 500 to 999 employees, that benefit rose to $2.3 million, and companies with 1,000 to 9,999 employees saw a total benefit of $2.9 million. The largest companies, with more than 10,000 employees, reaped $4.1 million in financial benefits from their investment in data security.
Comparing the financial benefits with the yearly investment results in an estimate of a company’s return on investment for data security. Almost half (47%) of the companies surveyed saw an ROI of more than 2 to 1, while a third broke even on their investment. Only 8% saw no measurable return on their investment.
The bottom line is this: For every $1 of investment in data security, the average company received $2.70 in tangible benefits. (Note that the rate of return did not vary much by company size; the ROI was similar for small, midsize, and large companies alike.)
Business Benefits from Data Security
In addition to the direct financial benefits from data security spending, companies reap a wealth of important business benefits. Cisco reports that more than 70% of the companies surveyed said they’d received significant business benefits from their investment in data security.
What kinds of business benefits did these companies experience? The following percentage of respondents noted significant benefits in these specific areas:
· Building loyalty and trust from customers, 74%
· Making the company more attractive to investors, 73%
· Achieving operational efficiency from data controls, 72%
· Enabling innovation and agility, 71%
· Mitigating losses from data breaches, 71%
· Reducing business delays, 67%
The benefits are many and significant, and they can’t always be measured in direct financial terms. Consider them to be above and beyond the ROI resulting from ongoing data security spending.
Better Data Security Means Lower Costs from Breaches
The more effective the data security practiced by an organization, the less financial exposure due to data breaches. This results from both a decreased number of breaches and a lower cost incurred from each breach.
Cisco measured what they call data security accountability for each of the firms participating in the survey. This rating roughly corresponds to the number and types of data security measures put in place by each company.
On a scale of 1 to 5, a company with more data security accountability earns a higher score, as follows:
1.0: The organization has little data security in place.
2.0: The company is working on its data security and has made some progress.
3.0: The firm has made significant progress in its data security but still has a substantial way to go.
4.0: The organization has a majority of recommended data security measures in place.
5.0: The company has all or nearly all recommended security measures in place.
Based on data collected, those firms with the highest scores experienced the fewest data breaches. Of those firms with scores of 4.0 or lower, only 13% reported no data breaches in the previous year. For those companies with scores above 4.0, however, the record was twice as good ― 28% experienced no data breaches.