Growth series: IT, cybersecurity have key roles


Mature technology and controls create a competitive edge


Mature technology and strong cybersecurity no longer are optional features for organizations that are seeking to drive growth.


In many industries, sophisticated enterprise resource planning, human capital management, supply chain management and financial planning and analysis systems are providing companies with efficiencies and strategic advantages that give them an edge over their competition.


For a growing number of companies, a technology offering comprises the entirety of the product or service for sale. In the healthcare industry alone, there are companies that mine patient data to provide predictive analysis, create a virtual setting to connect patients with caregivers, and perform many other important functions.


“You now have companies that are just a purely data play,” said Sonny Origitano, Managing Director - Strategic Solutions for Grant Thornton LLP.


Origitano participated in Grant Thornton’s growth series discussion that focused on the role IT and cybersecurity play in driving growth. Suffice to say, mature IT and cyber controls are no longer optional — they’re necessities.


Whether companies are looking to drive organic growth or hoping to be acquired, having the right technology is a must for maximizing value. And that technology — indeed the welfare of an entire organization — is in extreme jeopardy without strong cybersecurity controls.


As attackers get more sophisticated, new controls are needed.


“Given the rise of phishing attacks and identity fraud over the past few years, multi-factor authentication is no longer the gold standard,” said Derek Han, Principal and Cybersecurity and Privacy Leader for Grant Thornton. “It’s become the baseline, a basic standard. Even in the past year and a half, we’ve seen bad actors start compromising multi-factor authentication solutions. I think the bar keeps rising every day in terms of how we’re going to keep consumer identities secure.”



4:03 | Transcript



More growth insights

















Get motivated on cybersecurity





Mid-market companies may be vulnerable


For some companies, the motivation to improve cybersecurity is increased when a cyber insurance provider raises rates or threatens to deny coverage because controls aren’t strong enough.


“You can spend less on cybersecurity, but your insurance premium would go up and then if you experience a breach, you’d have to pay for that as well,” Han said. “There’s no free lunch in my opinion. You have to spend money. But also, I believe as the industry adopts more standard controls, the cost will go down. You look at Microsoft, and they’re building a lot of their cybersecurity solutions into their Microsoft 365 subscriptions. More and more, cybersecurity will become a feature of your computing devices. I think the cost will come down.”


Cybersecurity risks may be particularly challenging for mid-market companies with less than $500 million in annual revenue. They often have a director or vice president of IT, but not a dedicated chief information security officer. If the IT leader is not a cybersecurity expert, the company might be lacking in controls and cyber resilience.


Origitano said mid-market companies may be especially vulnerable when they are in the news because of an acquisition. He said the impetus for cybersecurity improvement at these companies may come when a strategic buyer wants to improve their controls.


It should be no surprise, then, that IT maturity and cybersecurity have become core elements of due diligence activities related to transactions. They’re also considered when companies are choosing suppliers.


“If your business model is one where you’re holding data or anything else belonging to a client, you had better have these controls in place,” Origitano said. “Nowadays companies are getting more sophisticated when they do their own diligence on a provider or supplier. If you don’t have the right controls in place, a potential client may pass you up and find a different provider.”



2:48 | Transcript


Show image description -->

More than half of CFOs consistently plan to spend more on cybersecurity, according to this bar chart using data from Grant Thornton’s quarterly CFO surveys. In any given quarter, 10% of CFOs or less plan to spend less on cybersecurity.


Resilience is a key





Plan for every scenario


In addition to improving IT assets and augmenting cybersecurity controls, companies can drive growth by building cyber resilience into their organizations. This is built by creating a team composed of key people throughout the organization who would be crisis-mode responders in the event of a cyber incident. This team should meet regularly and practice cyber incident scenarios.


One of the issues this team would discuss is disclosures, as new regulatory requirements are emerging that may compel reporting of a cyber incident within just a few days. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. Additionally, proposed amendments to the New York State Department of Financial Services Part 500 Cybersecurity Regulation (23 NYCRR Part 500) would require such timely reporting for covered entities.


Meanwhile, Han predicts that automation will emerge as a key element in cybersecurity in the coming years.


“We don’t have enough humans and talent for all the cybersecurity jobs,” Han said. “Globally, we’re 2.7 million jobs short from a cybersecurity perspective. We don’t have enough humans to do it. Automation is definitely a key focus for gaining more visibility, quicker response time, quicker remediation and quicker detection.”


This will be yet another technological opportunity that companies can take advantage of in their continuing quest for growth.




Content disclaimer

This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.


Explore the many elements of growth


Our featured strategy insights