Cybersecurity measures should always provide value. Instead of debating liability, it is more effective to illustrate which business processes can be digitised or enabled by appropriate protective measures (and thus assign costs accordingly). In doing so, these measures directly contribute to the company's value creation—or not, raising the question of whether they are needed at all.
Security costs money—but it is only necessary when there's something to protect. Security costs are, in this sense, always part of the "operating costs" of a value-adding activity. Considering security as part of IT infrastructure makes it simpler but distributes costs across all activities within the company. Approximately a quarter of IT expenses should be allocated for cybersecurity. This also demonstrates that IT services do not automatically include cybersecurity—the added costs are too high for this.
Moreover, not every cybersecurity measure is suitable for every company—the better a measure aligns with an organisation's value creation, the stronger its impact; conversely, security gains should not be expected from measures that contradict the company's value creation or culture. For instance, if a business generates revenue through customer services, security measures complicating customer contact (such as additional authentication steps) would hinder success and are likely to be rejected or bypassed.
Thus, the following rule of thumb applies: If security measures are implemented as part of a (potentially new) business process, they fit well with the company and can be effective. Generic security measures recommended for everyone or selected based on technical reasons are not very sensible.
Contact
Dr. Katrin Sobania
Director Department for Information and Communication Technology | E-Government | Postal Services | IT Security