Beyond value protection: Can cybersecurity drive value creation?

According to new research from EY, 58% of CISOs and cybersecurity execs say it’s difficult to articulate their value beyond risk mitigation. 

That’s a bold lead. It tells us CISOs and their teams feel locked into the traditional narrative: cybersecurity is a cost centre, but not a strategic value driver. 

But EY’s study on global cybersecurity leadership insights shows cybersecurity can go far beyond just protecting value – it can create it. 

We’re looking at the how and the why behind that argument. 

Cybersecurity adds hard value to business initiatives 

Another one of the study’s most striking stats is that cybersecurity contributes between 11% and 20% of value to each enterprise-wide strategic initiative it’s involved in. That means cyber isn’t just risk reduction; it’s a measurable boost to outcomes. 

But more than half of CISOs struggle to convey that value. The same 58% figure highlights a storytelling issue: cybersecurity’s benefits aren’t being translated into language that business leaders can really understand and appreciate. 

EY’s segmentation of organisations into Secure Creators (42%) and Prone Enterprises (58%) reveals why. 

Secure Creators:

• Are early adopters of emerging tech, automation, orchestration
• Integrate cybersecurity into cloud, ecosystem and third-party strategy
• Embed cyber into boardroom, business units and operational teams

They’re the ones who see 63% of their cyber efforts generating value rather than just protection. In contrast, Prone Enterprises only report 42%. 

And it’s communication style makes the difference. Secure Creators translate cybersecurity into business terms like ‘risk buydown, business impact and value creation.’ They don’t just say they’ve reduced incidents – they show how that incident reduction has accelerated go-to-market, improved trust, or streamlined costs.

Security needs to be embedded in transformation 

EY’s researchers suggest that Secure Creators are far more likely to report that cybersecurity improved their pace of transformation and innovation (56% vs 25%) and ability to respond to market opportunities (58% vs 29%); and that they focus on creating value over protecting value (63% vs 41%). 

For business leaders, that means cybersecurity becomes an enabler – and not an annoying thing they have to think about even though they don’t really want to. 

Another important insight from the study is that organisations are piling on security tools, but adding that tech complexity actually gets in the way of detection and response. Secure Creators, however, are more likely to simplify the tech stack and embrace automation. They consolidate platforms to reduce noise and centralise telemetry, replace legacy tools that duplicate processes, and automate routine responses. 

That frees up cyber teams to focus on higher‑value tasks – like embedding secure coding, shaping cloud architecture, or aligning with business Q‑goals.

And take workforce, culture, and talent into account 

EY identifies three overlapping human levers: 

1. Workforce-wide security culture 

Only 50% of cyber leaders say training is effective – and just 36% believe non‑IT teams embrace security practices. But Secure Creators report 47% adoption, which is notably higher than Prone Enterprises at 27%.

So all organisations need to move security out of policy manuals and into everyday habits: guardrails in workflows, incremental learning, and automation to enforce best practice.

2. Cyber talent evolution 

With experienced cyber talent in short supply, Secure Creators take creative approaches; including reskilling people from non-cyber roles and outsourcing functions. They’re twice as likely to recruit from different backgrounds (28% vs 14%), and more likely to outsource core functions (median 25% vs 15%).

This flexible operating model allows them to build resilient capability, fast.

3. Liaison roles between cyber and business

Some firms deploy cyber consultants, or ‘pods’ as embedded teams within business units, to guide secure development and knowledge transfer. This co‑created approach helps cybersecurity inform product rollout, tech purchasing and M&A from the ground up – not as a late-stage add-on. 

We need more integration across partners and ecosystems 

Modern business thrives on partnerships, acquisitions and horizontal ecosystems. But each link with another organisation brings new cyber risks. EY’s Secure Creators make sure cyber criteria are baked into partner evaluation and integration protocols, so expansion doesn’t introduce weak links.

Secure cyber integration means they can balance risk and opportunity using standardised scoping informed by cybersecurity. That’s an immense potential value gain from strategic cybersecurity – and one that cybersecurity firms can sell, as long as they’re able to communicate it clearly. 

How do you go from ‘Prone Enterprise’ to ‘Secure Creator’? 

We took five action points from the EY study to help cybersecurity teams and providers move towards value-focused cybersecurity: 

1. Simplify your tech stack. Trim vendors, automate telemetry to improve visibility.
2. Standardise supply‑chain hygiene. Automated continuous monitoring for vendors and tools.
3. Craft a business-focused narrative. Speak business ROI, not just risk avoidance.
4. Embed training and automation. Security by design in everyday processes.
5. Weave cybersecurity into your DNA – across strategy, innovation, operations. 

More than just a shield, cybersecurity can be a catalyst for business growth. Integrated security delivered with strong communication can help organisations outperform their competitors, increase market agility, and turn perceived cost into visible ROI. 

So cybersecurity leaders should move into strategic conversations early. Simplify tech stacks, build relationships across departments, and grow talent by reskilling and embedding cybersecurity knowledge throughout a business. 

When cybersecurity transcends protection to become a value enabler, everyone wins. The board sees faster ROI. Customers get safer, more trusted services. And cyber leaders get a seat at the top table – which is where they need to be.