The study by Diligent and Bitsight points to advanced security and strong risk or audit committees as good predictors of an enterprise’s financial success. Credit: Shutterstock Cybersecurity preparedness and financial success are strongly correlated with companies that maintain strong security measures, outperforming peers with only basic defenses by as much as 372% in shareholder returns, according to a report by Diligent and Bitsight. The report, which analyzed data from more than 4,000 global companies, found that over a three-year period, the average total shareholder return for companies with advanced security performance ratings was 67%, compared to 14% for companies with only basic ratings. Over a period of five years, companies in the advanced performance range showed an average total shareholder return of 71%, while those in the basic performance range recorded an average return of 37%. “Some of the companies with high cybersecurity scores are in high-growth sectors, such as technology, that have had strong financial performance over the last several years,” the report’s authors said. “Additionally, the improved performance may also stem from the fact that companies in the advanced security performance bracket also possess robust governance fundamentals.” While it might be a stretch to draw a direct link between better financial performance and good cybersecurity, “we know that the insurance industry is beavering away to pool actuarial data together,” Gareth Lindahl-Wise, CISO of managed detection and response provider Ontinue, told CSO. “What is indisputable is the positive advantage organizations derive from perceived and actual high levels of cybersecurity performance on reputation.” Risk and audit committees linked to better cybersecurity performance The report also found that companies with specialized risk or audit committees demonstrated a more robust cybersecurity performance than those without either. The report’s rating system assessed companies a cybersecurity rating between 250 and 900 — those with specialized risk committees received a median rating of 730 and those with audit committees a median rating of 720. The report emphasizes the direct involvement of cybersecurity experts within these committees as a critical factor. Companies with cybersecurity experts on either audit or specialized risk committees achieve an average security performance rating of 700, significantly higher than the 580 rating for companies with such experts only on the general board. The report also highlights that highly regulated industries typically outperform others. The healthcare sector led with an average security rating of 730, while the financial services sector accounted for a significant proportion (33%) of companies that demonstrated advanced security performance, with an average rating of 720. Conversely, 24% of companies with basic security performance came from the industrial sector. The communications sector, according to the report, has the lowest overall performance rating at 630. Highly regulated companies and industries traditionally adopt cyber programs and best practices more quickly because they’re used to, and better at, managing their risk, said Dave Gerry, CEO of cybersecurity firm Bugcrowd. “Ensuring that they are in compliance with the regulatory requirements they face is in their culture; adding cyber is simply another requirement they need to comply with,” he added. More board involvement means more internal scrutiny Companies with audit committees typically fare better than others when it comes to cybersecurity because of internal scrutiny, Lindahl-Wise said. “An informed audit (and more often an audit and risk committee) is more aware and aligned to the actual risks organizations are facing and will hold them to remediation plans than generic risks regulations focus on,” he said. “One envisages that the time to remediation of risks will be quicker with organizations with active audit committees in place.” Companies with robust cybersecurity measures are not only taking concrete measures to protect their systems and sensitive data, but modern, next-generation solutions can also streamline operations and make employees more efficient, said Patrick Tiquet, vice president of security and architecture at Keeper Security. For example, a digital password manager can autofill passwords and reduce help-desk costs by significantly lowering the number of password-reset requests. “Automating routine tasks like these allows organizations to free up valuable resources they can then direct towards their business growth and strategic initiatives.” Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe