Cyber as part of P&L

Photo by George Morina on


Cyber is commonly seen by businesses as a cost center. Changes are afoot that suggest it is increasingly a revenue generator. There are great gains in client relationships to be made if organizations that are not vendors of these services think in a similar way about offering value from their cyber teams’ work.


In a conversation I had last week, an industry colleague mentioned cyber as a cost center for organisations, viewing cyber as an overhead function. To be fair, it’s a common view of cyber as it currently exists. I’ll not say the view is wrong, but it doesn’t account for the direction this is going, especially for large institutions.

The following are merely possibilities, scarcely scratching the surface. In every case, one of the biggest drawbacks is potential liability, which tempers or negates what is offered. Including a good faith clause in the cyber portions of contracts and non-disclosure agreements in general sets the legal tone: we are in this together and whilst we are not doing things for you, we’ll not leave you stranded.

Cyber as a Service (CaaS) – the first that comes to mind is offering cyber services – especially intelligence or incident response – to clients on a subscription service. I’ve heard this discussed, although it’s not my first choice. Simply because there are vendors who offer many of those services that may well contribute to what a major institution would. In many cases those vendors may be a contributing factor to the analysis or operations provisioned. If they are sources of intelligence (for example), sharing further likely will not only be second-hand and delayed, but potentially in violation of contract. Could it be a sales strategy involving cyber? Certainly, though not the best.

Consultancy – Offering advice to similar firms based on a firm’s developments/ lessons learned etc. is a better fit than CaaS. This option offers wisdom and experience for the trials, and shares experiences already seen. This can also take the form of white papers or journals with relevant topics, specific for the business audience. Near-peer or a similar-size firm, there may be cyber concerns unaddressed. This is however a slow-burn option which does not help in cyber emergencies.

Continuity of Business (CoB) as Sales – From the perspective of a financial institution (with similarities in other industries), here is where you have potential for sales by having skin in the game (SITG). Essentially, you require your vendors to include you in their CoB whenever it might impact what you rely on them for. Earlier is better, so when it looks like the service might go down, not after it crashed. Trace that vendor’s service or app through every product you offer which may be affected, and offer the same notification to any client who uses them. This allows you a chance to go to Plan B before systems crash, allowing and enabling your clients to do the same. This would be huge for client generation/ retention at the very least. We all want uninterrupted services perfectly tuned after all.

As much as cyber is currently seen as a cost center, that thinking needs to change. At a clip. The thinking in silos that got us here will not get us out of here. We need to think afresh. To create cyber ecosystems. And may be, just may be we will stop thinking of cyber as a cost center. And our relationships both with clients and vendors will improve.