Walk into any boardroom and raise the topic of “cybersecurity investments,” and you’ll often hear the same response: “Yes, it’s important—but what’s the ROI?” Well, does the C-level even know why cyber security is “important” when this word is mouthed? The unfettered truth is, cybersecurity doesn’t directly generate revenue. It doesn’t help you sell more products or expand markets. In fact, security controls—multi-factor authentication, VPN requirements, USB restrictions—can feel like roadblocks that slow down operations.

Cyber Security is Not an insurance

Cybersecurity isn’t an insurance policy either. While cyber insurance may cover some financial damages, it cannot restore reputation, trust, or business continuity after a major breach. So why invest in it?

The real value of cybersecurity lies in protecting business ROI. Just as you hire security guards to safeguard physical assets, cybersecurity safeguards digital operations and ensures continuity. This is especially critical in sectors that rely on Operational Technology (OT)—pharmaceuticals, petrochemicals, food manufacturing, and other critical infrastructures.

Consider Merck’s 2017 NotPetya incident: over 40,000 computers wiped, operations halted, research disrupted, and losses totaling $1.4 billion. Beyond the financial impact, the attack directly affected medicine production—impacting human lives. As Joshua Corman of the Atlantic Council noted, “The impact on Merck was particularly troubling because it affected the firm’s ability to produce medicines. This is serious. It affects human lives. Imagine if the supply of something like H5N1 influenza vaccine was affected when we needed them”. Merck eventually recovered its financial losses after years of arbitration with its insurers, but the long-term operational scars linger till this day.

How Can You Begin?

So where should businesses begin? The first step is compliance. Regulations already define baseline expectations—what you must do to demonstrate due care. In Saudi Arabia, for example, the National Cybersecurity Authority’s OTCC-1:2022 provides a comprehensive framework for OT cybersecurity. But compliance alone is not enough.

The next step is risk assessment—evaluating your current posture through the lens of an attacker. This identifies gaps beyond compliance and prioritizes remediation. Closing these gaps demonstrates due diligence—going the extra mile to ensure resilience.

Cybersecurity may not generate ROI—but without it, your ROI is at risk. The real question for every business leader is: Are you exercising both due care and due diligence to protect your returns? Hesitate not. Contact Resilience to see how we can help you in your cyber security journey.

 

Explore our OT services Resilience OT/ICS Security | Resilience