Technology investments are no different. They, too, have always been a trade-off between risk and return. However, for enterprise technology, increased global connectivity is raising the stakes on both sides of the equation. The commercial rewards from tapping into this connectivity are enormous, but the more tightly we are connected, the more vulnerabilities exist that attackers can exploit and the more damage they can do once inside. Therefore, when a manufacturer invests in a new product life-cycle management system, it is making a bet that the system will not enable the theft of valuable intellectual property. When a retailer invests in mobile commerce, it is betting that cyber-fraud won’t critically damage profitability. When a bank invests in customer analytics, it is betting that the sensitive data it analyses won’t be stolen by cyber-criminals. The odds on all those bets appear to be shifting away from the institutions and toward cyber-attackers. They could swing decisively their way in the near future given most companies’ siloed and reactive approach to cybersecurity.

Our interviews with business leaders, chief information officers (CIOs), chief technology officers (CTOs), and chief information security officers (CISOs) indicate that concerns about cyber-attacks are already affecting large institutions’ interest in and ability to create value from technology investment and innovation. Potential losses, both direct and indirect, reduce the expected economic benefits of technology investments, as do the high cost and lengthy time frame required to build the defense mechanisms that can protect the organisation against a growing range of attackers. In short, the models companies use to protect themselves from cyber-attack are limiting their ability to extract additional value from technology.

Concern about cyber-attacks is already having a noticeable impact on business along three dimensions: lower frontline productivity, fewer resources for information technology (IT) initiatives that create value, and — critically — the slower implementation of technological innovations.