What does a cybersecurity-ready company look like?

On one level, the motivation for organizations to invest in cybersecurity tools, staff, and processes couldn’t be more obvious: the organizations want to prevent cyberattacks from succeeding. It turns out, however, that security measures may be able to drive additional business benefits beyond simply countering hackers, online criminals, and other bad actors.

The 2016 AT&T/IDC Global Cybersecurity Readiness Index study suggests that companies with the most mature and comprehensive security profiles can expect to outpace their peers in revenue and profit growth as well as several other business metrics.

In the study, more than 800 IT and line of business executives across multiple industry sectors were surveyed. A focus group of CIOs and CISOs from enterprises with more than 1,000 employees provided supplemental data. Some of the survey results are included in a recent AT&T Cybersecurity Insights report.

What characteristics make one organization’s cybersecurity readiness superior to another’s? The AT&T/IDC study identified a number of traits that reflect this readiness, and grouped organizations into four maturity categories. Those categories, from least to most cybersecurity ready, are: Passive, Reactive, Proactive, and Progressive.

Progressive organizations share a number of characteristics, led by a high level of C-suite interest and engagement in security matters. CEOs and other executives at progressive companies understand the cyberthreats their organizations face and are closely involved in setting and regularly reviewing security measures and strategies. In fact, 60% of the survey respondents deemed to work at progressive companies said their senior executives require daily security status updates. That’s compared to just 14% of respondents at passive organizations saying the same.

Progressive companies also know their own limits. This category of companies, for example, is much more likely than less-cybersecurity-ready organizations to enlist the services of third-party security experts as a supplement to their in-house security teams. Other companies may be prone to underestimating the threats they face, while overestimating their own capabilities to deal with those threats.

On another measure, progressive organizations don’t just focus on post-breach diagnosis and response. They’re much more likely than others to proactively mount readiness assessments and diagnosis planning efforts.

Surprising payoffs

After AT&T/IDC categorized the cybersecurity readiness of its survey respondents, it looked at several business parameters. That exercise suggests that security investments and preparations can have a positive ripple effect across a number of business metrics.

Companies ranked as progressive organizations, for example, experienced three-year revenue growth averaging 24%. At the other end of the cybersecurity readiness index, passive companies experienced only 6% growth over the same period.

The same held true when it came to profitability. The three-year profit growth at progressive companies averaged 19.7%, compared to just 3.2% profit growth at passive companies.

This trend even extended into the non-fiscal metrics. Among them: customer satisfaction increased by 22% over three years at progressive companies, but grew by just 2.3% at passive companies.

Without a doubt, the main reason for investing in cybersecurity solutions, staffing, and services is to prevent catastrophic data loss or exposure and to maintain operational integrity. But companies that make security a priority from the C-suite down can expect to see benefits that go well beyond the central objective of their efforts.

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies, and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.

Copyright © 2016 IDG Communications, Inc.