Benefits of positive risk - AWS Prescriptive Guidance

Benefits of positive risk

Especially in an industry such as cybersecurity, which is focused on protecting the business from potential loss, it’s easy to frame risk from a negative perspective. Reframing cybersecurity risks based on their potential gains can benefit the business by promoting positive outcomes, increasing the security posture of the organization, and increasing customer trust.

Promoting positive outcomes

Adopting positive risk allows the organization to evaluate and recognize the contribution the domain makes to positive business outcomes. According to Cybersecurity In The C-Suite and Boardroom (Enterprise Strategy Group research report):

  • 69% of business and technology leaders believe that cybersecurity is entirely or mostly a technology area with little or no linkage to the business.

  • 11% of business and technology leaders equate cybersecurity with regulatory compliance.

  • 82% of organizations claim that cybersecurity risks have increased over the past two years due to factors such as increasing cyberthreats, greater integration of technology within the business, and a growing attack surface.

When cybersecurity executives integrate positive risk into conversations and reports, it helps promote the value of secure IT operations within the company.

For example, let’s say a business had a data breach several years ago, and the data breach was caused by a lack of a patch management process. The incident is still brought up by the media, and it affects customers’ perceptions of and interactions with the company. The business wants to move past the incident and expand their services offerings, but customer trust is blocking sales. Cybersecurity uses positive risk to convince leadership to invest in a patch management process that continually updates applications. The new process dramatically reduces the risk of a data breach, improving the security posture of the company. News of the up-to-the-minute patch management process reaches the media and potential customers. Customers now feel comfortable buying from the business, and sales increase to an impressive level.

Failure to consider positive risks during risk identification can provide an incomplete assessment and affect the business decision. For concrete examples of positive risks that could affect business decisions, see Examples of positive risk.

Increasing security posture and customer trust

Cybersecurity is integral to the security posture of the business. Data breaches can negatively affect customer trust, but a strong security posture and reputation can also increase customer trust and drive business opportunity.

As discussed in Promoting positive outcomes, research shows that executive leadership understands the negative risks associated with cybersecurity but frequently doesn’t understand the positive risk, or business value. However, research shows that leadership within cybersecurity understands how a strong security posture can benefit the organization.

In Cyber Security Research: The Innovation Accelerator (Vodafone whitepaper), Vodafone interviewed 1,434 worldwide decision-makers in cybersecurity. According to their data:

  • 73% of the respondents believed strong security creates new business opportunities.

  • 89% said improvements to their security would increase customer loyalty and trust.

  • 90% have also said that they were able to improve their image, to reach new potential clients, and also turn them into actual clients.

  • 89% believe that having effective cybersecurity is a relevant competitive advantage, which helps them differentiate from their competitors.

  • 24% reported an increase in revenues by using cloud technologies and Internet of Things (IOT) and by adopting targeted IT security controls.

  • Instead of using potential negative outcomes when communicating with executive leadership, you can also use positive risk to communicate the business value of improving customer trust. Executives can be cautious when funding programs. In some cases, cybersecurity gets the bare minimum needed to operate. Internally communicating positive risks in funding requests can help your leadership understand the business value of cybersecurity. This can result in increased funding for cybersecurity initiatives and drive revenue for the business.