How can cybersecurity go beyond value protection to value creation?

While most cybersecurity functions have been involved in at least one value-adding business initiative, such as enterprise-wide technology adoption, business innovation or new market expansion, 58% of CISOs and cybersecurity executives say it is difficult to articulate their value beyond risk mitigation, according to our study.

To help with this, EY created a framework to quantify the value cybersecurity adds to the enterprise through their contributions to revenue and cost savings on strategic business priorities. To calculate the contribution to enterprise value creation, we identified six key initiatives — based on EY teams’ experience with clients — where cybersecurity should have significant involvement:

1. Adopting and building technology
2. Strengthening brand trust and reputation
3. Improving customer experience
4. Transforming and innovating across the business
5. Expanding to new markets
6. Developing new products and services

In our research, leaders provided the revenue generated and average annual cost savings from these initiatives and the proportion of the outcome attributed to the cybersecurity function. Together, these allowed us to calculate cybersecurity’s enterprise value creation for each project or initiative where the cybersecurity function is significantly involved.

Notably, we saw consistent attribution of outcomes to cybersecurity across other senior roles, indicating that CISOs are not over-attributing their contributions.

In total, for each initiative that involves cybersecurity, the median value creation figure is US$36m. This varies significantly by organization size, ranging from a median of US$11m per project for organizations with US$1b-US$4.9b in revenue, up to US$154m for companies with US$20b or more in annual revenue. 

But what does cybersecurity’s involvement in enterprise value creation actually look like across different initiatives? 

How Secure Creators add value to key strategic initiatives

The study revealed a group of respondents known as “Secure Creators” — first identified in the 2023 EY Global Cybersecurity Leadership Insights Study as organizations with more advanced cybersecurity functions than their peers — who were involved earlier and more deeply than their peers in their business’s key initiatives.

Secure Creators were more likely to help other business functions implement AI than “Prone Enterprises” (48% vs. 31%). Beyond the immediate benefits of more secure technology adoption, more frequent and closer collaboration with high-growth technology initiatives helps broker a better relationship between CISOs and front-office business leaders. Front-office leaders who work with Secure Creators will increasingly view the CISO as the true enabler of technology transformation, rather than the department that is only brought in to say “no.”

Secure Creators were also more likely to have positively impacted how external stakeholders perceive their brand (72% vs. 56% of Prone Enterprises). The obvious relationship between cybersecurity and brand trust lies in preventing reputation-damaging hacks and data breaches, and in minimizing loss or impact in the event of a cybersecurity incident. But for Secure Creators, that relationship goes even deeper and positions cybersecurity closer to the customer touchpoints that determine brand reliability. Examples from survey respondents include avoiding potential losses and reputation during a ransomware attack and ensuring secure data transfers, resulting in increasing trust with current clients as well as attracting new customers who value data protection.

Relatedly, Secure Creators were more involved in efforts to improve customer experience than their peers (53% vs. 42%). Uptake and usage of a service is partially driven by customer trust — especially when that service uses AI, with 64% of consumers worried about the way their personal data will be used in AI systems without their consent or permission, according to the EY AI Sentiment Index Study. Examples of how Secure Creators in the study are improving customer trust and experience include enhanced internal communication security for better customer service and faster complaint resolution, and creation of customer portals that simplify access to services.

Secure Creators are more likely to say their approach positively impacts the pace of transformation and innovation. “We were developing a cutting-edge AI product, but the sensitive training data was at risk. Cybersecurity implemented data encryption and access controls to protect the AI training environment,” a Secure Creator said. “The AI product launched on time, and its success gave us a competitive edge in the market.”

Executives are increasingly recognizing the role of the cybersecurity function when expanding to new markets. A recent Gartner study found that 85% of CEOs consider cybersecurity critical for business growth. CISOs — along with risk executives — help their organizations consider the myriad implications of moving into new markets, from increased risk exposure to asset visibility. When involved early in market scouting, the cybersecurity function can both protect and add value to new market ventures.

Similarly, in new product and service development, the cybersecurity function adds value that isn’t always recognized. “Cybersecurity isn't just about protecting new product and service value — it's about creating it. When cybersecurity teams are embedded early in product development, they help build trust into core offerings. That trust becomes a differentiator in the market and a catalyst for growth," said Jeremy Pizzala, EY Asia-Pacific Cybersecurity Consulting Leader.

Secure Creators are likely to continue outpacing their peers

Seventy-three percent of our study’s cohort of Secure Creators believe their ability to add value will grow in the future. Successful, early involvement in key initiatives will give CISOs greater exposure to the Board and greater power in the C-suite. It will also help CISOs develop as strategic executives — an evolution from their traditional role as a technical practitioner. Combined, it’s clear to see why CISOs think their enterprise value creation is likely to grow.

“When CISOs are given a seat at the table early in strategic initiatives, they not only embed security into business planning from the ground up, but they add value by increasing speed of adoption and by building trust with consumers,” said Rudrani Djwalapersad, EY Global Cyber Risk and Cyber Resilience Lead.

Our analysis shows some of the most impactful drivers of cybersecurity’s impact on value creation are the core of Secure Creators’ approach to cybersecurity:

• Effective cyber approach: rather than just protecting value, shifting the focus to value creation, for example by becoming early adopters of emerging technology.
• Strategic involvement: embedding themselves in core business priorities and strategies.
• Collaboration: brokering and using strong lines of communication and ties to the C-suite.

The 2024 edition of this study enumerated the ways AI is transforming cybersecurity. AI — or, more specifically, machine learning (ML) — is automating tasks like threat and anomaly detection, pattern recognition and identification of suspicious activities. Since that study, agentic AI has started offering a step-change improvement. For example Crowdstrike’s Charlotte AI, powered by NVIDIA NIM microservices is capable of handling the entire workflow, beginning with threat detection to resolution with no human intervention, dramatically reducing the time to resolution for cybersecurity threats.

This year’s study examined a different aspect of AI: cost and time savings. The study found that cybersecurity simplification and automation have led to direct cost savings, with a median US$1.7m saved annually.

Since most cybersecurity functions are still in the early stages of meaningful AI integration — a 2024 CrowdStrike study found that only 6% of cybersecurity functions actively use generative AI (GenAI) tools — leaders expect the annual savings figure to grow rapidly in the coming years as AI programs mature.

Simplification and optimization

As CISOs continue the rollout of AI across the cybersecurity function, they should consider how they can simplify their approach. A recent report from ServiceNow shows that the most AI-ready enterprises take a platform approach that leverages a single codebase, simplifying management across the enterprise. This approach helps them more quickly employ new AI tools — like agentic AI — at scale, because they “don’t have to reinvent the wheel every time a new technology or application hits the market,” according to the report.

“Most clients who are positioned to outpace their competitors in AI rollout, technology innovation and decision-making at scale are embracing a unified technology platform approach,” said Dan Mellen, EY Global and US Cyber Chief Technology Officer.

Optimizing legacy technology tools and simplifying cybersecurity tools can remove duplication and reduce costs, while also improving visibility and reducing the number of attack surfaces. Today organizations use a median of 35 different cyber tools, with 37% utilizing over 50 cybersecurity tools. Many CISOs are looking to simplify their tech stack, as well as decrease the spend on these resources: 23% of study respondents completed a technology rationalization effort in the last two years, and 41% are undertaking one. Similarly, 18% have simplified their tech platform, with 41% in the process of doing so.

Such efforts can save money and have a positive impact on budget constraints. Secure Creators have more advanced cybersecurity functions but require smaller budgets — 10% smaller on average — and are less likely to cite budgets as a key challenge.

AI and automation

AI and ML tools are helping automate processes throughout the cybersecurity function. 

Deployment of AI across cybersecurity priorities is leading to improved outcomes. In particular, CISOs say these automation efforts have decreased their mean time to detect (MTTD) and mean time to respond (MTTR) by 28%, on average. In addition, six in 10 respondents point to increased visibility across attack surfaces. 

Using cost and time savings to provide more value

In addition to direct improvements to cybersecurity’s effectiveness and cost savings, optimization and automation allow for more money and time to be focused on value creation, enabling organizations to stay ahead of emerging threats and enhance their overall security posture.

The combined savings — across automation, simplification and outsourcing — perhaps unsurprisingly were used to further enhance the cyber capabilities of an organization, with 74% reporting they invested to address control weakness and 46% using savings to increase coverage of the attack surface, ultimately leading to a more resilient defense against potential breaches.

More notably, two-thirds (68%) used the cost savings generated from optimization on innovation and other AI initiatives, indicating that CISOs who are ahead of the AI curve are likely to stay ahead.

Shifting this “realized” money into value creation initiatives such as AI not only benefits the wider organization but also shows that advanced cybersecurity functions operate more like strategic business units than cost centers.

A recent study from Ernst & Young LLP examined the gulf between the importance of cybersecurity and the relative lack of sway CISOs hold in the C-suite, with 59% of respondents saying that the cybersecurity function is not consulted when strategic decisions are made.

The US study also found a direct correction between cybersecurity breaches and a company’s share price declines. In the days following a cybersecurity incident, stock prices decrease — and can decrease up to 90 days after the incident — compared with companies that did not experience a cybersecurity incident.

Cybersecurity is also gaining importance in M&A activity. The EY Private Equity Value Creation Benchmark Survey found that PE firms are 2.3 times more likely to focus on cybersecurity during their due diligence than two years ago. CISOs should be involved earlier and more strategically to improve the dealmaking process.

As companies transform their strategies and operations around AI, CISOs are presented with a golden opportunity to be key enablers of trust, speed and value, and to position the cybersecurity function as a department of strategic growth. In doing so, CISOs are more likely to be included earlier and more meaningfully in their organization’s other key initiatives.

Here are three steps CISOs can take to ensure cybersecurity is a key partner throughout the enterprise:

1.  Reframe how the CISO operates

A refreshed view of the cybersecurity remit requires a reframing of how the CISO operates.

CISOs must shift from being technical practitioners within their functions to becoming strategic enablers — Secure Creators — across the enterprise. This shift requires building deep sector and business acumen to align the cybersecurity function with organizational goals. It also requires CISOs to prioritize funding that helps cybersecurity create value for initiatives like enterprise-wide AI adoption, front-office transformation, and acquisitions and divestitures.

This represents a paradigm shift in how the cybersecurity function is viewed and how it integrates into the enterprise — likely demanding broader organizational changes. Elevating the CISO to a strategic role can prompt a rethinking of how cybersecurity leaders are selected and developed, how teams are staffed and where certain business-oriented capabilities should reside. Some capabilities, such as value measurement or transformation planning, may be built within cybersecurity; others may be more effectively developed through tighter integration with finance, strategy or transformation teams, or through managed services. In this context, a value quantification framework is not just a planning tool — it can serve as a blueprint to guide more fundamental changes in how the cybersecurity function is structured, resourced and connected to the rest of the enterprise. Depending on the organization, this type of evolution may be led by the CISO or driven from above.

2. Re-evaluate your cybersecurity budget needs and allocation

In today’s constrained budget environment, every functional leader must make a strong case for investment — cybersecurity is no exception. This study provides a new dimension to that case: Rather than viewing cybersecurity as a cost center or risk-reduction function, it should be positioned as a value multiplier. By connecting cybersecurity to enterprise-wide growth and transformation initiatives, and quantifying its contribution, the case moves from defensive to strategic, potentially unlocking a larger, more compelling share of the organization’s value creation agenda.

CISOs also need to consider where to allocate their budgets. Broadly speaking, they can elect to spend on direct security investments or on value creation initiatives throughout the organization. According to the American Productivity & Quality Center (APQC), return on security investments (ROSI) is 19% on average.¹ Alternatively, value creation spend generates returns approximately 6.6 times greater. This new emphasis on value creation can help CISOs build budget justification and help increase their influence on key initiatives.

CISOs can simultaneously rationalize and optimize their security tools and work to reduce their associated technology costs. A best-of-suite or platform-first approach will help CISOs rationalize and transition their existing security tools to an existing strategic technology vendor platform, while earmarking forecasted savings on licensing costs for the enhancement of security controls through in-flight and planned projects. 

3. Facilitate AI adoption to build trust across the C-suite and board of directors

According to our study, only 43% of cybersecurity functions are meaningfully involved in helping other functions adopt AI.

This — again — is a golden opportunity for CISOs: By positioning themselves as strategic partners in AI execution, they can earn greater trust and a seat at the table for broader transformation initiatives. The same logic applies to the other six key initiatives where cybersecurity adds significant value:

• Adopting and building technology
• Strengthening brand trust and reputation
• Improving customer experience
• Transforming and innovating across the business
• Expanding to new markets
• Developing new products and services

For CEOs, CFOs and board members, involving the CISO is more than an exercise in risk mitigation; it is an opportunity to unlock more value in each of your organization’s strategic, revenue-driving initiatives. Earlier, more meaningful integration of the cybersecurity function can help drive faster deployments, trust in the market and the creation of products, services and experiences that sustain business value.

A narrow view of cybersecurity as a necessary expense aimed solely at risk mitigation leads organizations to underinvest in a capability that could drive broader enterprise value. This perspective must change. The call to action is clear: Shift budgeting decisions from a cost-centric to a value-centric lens, treating cybersecurity not as a defensive line item, but as a catalyst for growth, innovation and sustained performance.

AnnMarie Pino, Associate Director, Ernst & Young LLP; Ed Wong, Associate Director, Ernst & Young Group Limited; Joe Morecroft, Associate Director, EYGS LLP; and William Reid, Supervising Associate, Ernst & Young LLP contributed to this article.