Cyber Security Is a Revenue Threat: Key Takeaways From Our Live Session

Cybercrime is a trillion-dollar industry. We hosted a panel discussion on what cybersecurity readiness actually means when attackers operate like businesses. Here are the takeaways the conversation.

Cyber Security Is a Revenue Threat: Key Takeaways From Our Live Session

Cybercrime is a trillion-dollar industry. Last week, we hosted a panel discussion on what cybersecurity readiness actually means when attackers operate like businesses.

Eric Andresen (Senior Manager - Information Security, SSAB), Marta Strzelec (Head of Content Engineering, TryHackMe), and Tinus Green (Head of Consulting, MWR CyberSec) joined Ashu Savani (Co-founder, TryHackMe) to discuss how organizations need to rethink how they prepare, communicate, and measure cyber security efforts.

Below are the key takeaways from that conversation.


Cyber security has moved from systems to financial impact

For years, organizations measured cybersecurity success by perimeter strength, tool coverage, and incident counts. That framing no longer holds.

Eric Andresen (SSAB):

“Attackers don’t hack for disruption anymore. They hack for profit, and they choose targets the same way any business would.”

Attackers track profit. They reinvest. They choose targets based on financial return. Whether the motivation is ransomware, IP theft, or geopolitical leverage, the outcome for the victim organization is the same: economic loss.

Marta Strzelec (TryHackMe):

“Cyber security readiness isn’t about securing systems. It’s about securing economic value.”

This reframing matters because the real damage from cyber incidents starts long before forensic investigations finish.

Withstanding the first hour is the top priority

Industry reports often focus on average breach costs, well into the millions of dollars per incident. But those numbers hide where damage actually begins.

Eric Andresen (SSAB):

“The damage doesn’t start with forensics. It starts when production slows, orders stall, and revenue stops moving.”

Attackers optimize for speed and pressure. Every minute of disruption compounds losses.

Eric Andresen (SSAB):

“Five minutes of disruption is enough to trigger meetings — because those minutes are revenue.”

In manufacturing alone, Andresen notes that major cybersecurity events now occur every 4–5 days across the industry, representing potentially hundreds of millions in lost revenue annually.

Readiness, then, is not just about detection and response, but whether your organization can withstand financial and operational shock in the first hour.


You can’t defend what you can’t explain to the business

One of the biggest barriers to readiness is communication.

Security teams often present cyber risk in technical terms: vulnerabilities, threat actors, attack paths. Business leaders don’t think this way.

Tinus Green (MWR CyberSec):

“We lose leadership buy-in because we talk about technical risk instead of business pain.”

Executives aren’t actually disengaged, they’re just speaking a different language.

Tinus Green (MWR CyberSec):

“Executives don’t need threat models. They need to know what breaks, when it breaks, and what it costs.”

That translation starts with understanding what leadership actually fears.

Tinus Green (MWR CyberSec):

“If you want buy-in, start by asking what would keep them awake at night.”

Conversations change when security teams map technical issues to those fears like downtime, missed shipments, and contract loss.


Language is a security control

How you talk about cybersecurity directly affects how seriously it’s taken by the wider organization.

Eric Andresen (SSAB):

“If the business can’t understand your risk, it won’t act on it.”

At SSAB, Andresen’s team avoids technical jargon altogether when speaking to the business.

Eric Andresen (SSAB):

“We talk about risk like a credit score,  because everyone understands confidence, not perfection.”

The credit score parallel doesn’t promise perfection, but it does communicate direction, effort, and credibility. That’s what executives need from security teams.

Eric Andresen (SSAB):

“If you lead with acronyms, you’ve already lost the conversation.”


Readiness can’t be declared, it can only be demonstrated

Boards and executives would rather evidence of confidence than absolute guarantees.

Eric Andresen (SSAB):

“Readiness is a trust problem, not a tooling problem.”

But assurances on their own aren’t enough to build trust.

Tinus Green (MWR CyberSec):

“The only 100% guarantee in cyber security is turning everything off.”

To really convey readiness, it’s important to show what has been tested, what failed, and what improved.

Tinus Green (MWR CyberSec):

“Confidence comes from the battle scars, not from promises.”

Tabletop exercises are where readiness is built

Real pressure is needed to build actual, defensible readiness. That requires tabletops, simulations, and realistic discomfort for teams.

Marta Strzelec (TryHackMe):

“Grit isn’t taught in documentation. It shows up under pressure.”

Exercises like tabletops allow organizations to experience that pressure safely, before real money is on the line.

Marta Strzelec (TryHackMe):

“If you want confidence in readiness, you need to practice being uncomfortable.”

But not all tabletops serve the same purpose.

Eric Andresen (SSAB):

“Executives and operators need to practice different decisions at different levels.”

Tinus Green (MWR CyberSec):

“You don’t need one tabletop. You need three: technical, executive, and the space in between.”

Each group needs to practice decision-making in its own context, and then practice communicating across boundaries.


AI impacts speed more than accountability

AI is reshaping security operations, but it doesn’t remove accountability.

Marta Strzelec (TryHackMe):

“AI makes teams faster and more scalable, but it doesn’t make decisions.”

AI excels at triage, correlation, and processing massive datasets. But it does not replace experienced human judgment.

Marta Strzelec (TryHackMe):

“Judgment and investigative instinct can’t be automated yet.”

The danger comes when AI is positioned as a replacement for thinking.

Eric Andresen (SSAB):

“AI should multiply people, not replace them.”

Tinus Green (MWR CyberSec):

“If AI removes the sticky situations, it removes the learning.”

AI should help teams reach harder problems faster, not avoid them entirely.


Your security posture extends beyond your perimeter

Cyber security doesn’t stop at organizational boundaries.

Eric Andresen (SSAB):

“If our customers lose money to cybercrime, that loss comes back to us.”

When customers or suppliers suffer cyber incidents, the financial impact often flows back to you.

Eric Andresen (SSAB):

“We care about our customers’ cyber safety because it directly affects our own.”

This ecosystem view is practical risk management, recognizing the way in which partner, customer and vendor security is intertwined.

Tinus Green (MWR CyberSec):

“Every small business lost to cybercrime weakens the entire ecosystem.”

Security can’t be bought

No tool, AI-powered or otherwise, can deliver readiness on its own.

Eric Andresen (SSAB):

“You don’t buy security. You build it with people, process, and technology.”

Building security means investing continuously in:

  • People (skills, judgment, experience)
  • Process (tested, realistic, adaptable)
  • Technology (supportive, not relied on blindly)

Eric Andresen (SSAB):

“Trying to fix everything at once is how you fix nothing.”

AI is changing the key metrics

As automation accelerates, traditional security metrics lose meaning.

Marta Strzelec (TryHackMe):

“When AI does the detecting for you, detection speed becomes a vanity metric.”

What matters now is time to meaningful action, like how quickly teams prevent business impact, beyond identifying threats

Eric Andresen (SSAB):

“KPIs are an assurance requirement,  they’re how trust is earned.”

Marta Strzelec (TryHackMe)

“AI is incredible at speed and scale, but the investigative instinct still belongs to humans —and that instinct only develops through experience.”

Metrics that capture activity aren’t sufficient anymore, we need to measure progress, resilience, and learning.


The core truth about readiness

Cyber incidents are inevitable. But as the group observed, revenue loss doesn’t have to be.

Marta Strzelec (TryHackMe)

“Cyber incidents are going to happen. The only question is whether you stop them before they turn into a business problem.”

Eric Andresen (SSAB):

“Continuous improvement is the only realistic security strategy.”

Readiness is a process more than a destination.

It’s demonstrated repeatedly under pressure. When done well, it’s communicated with clarity, and in business terms leaders understand.

For businesses and governments, there are no more “ifs” about cyber incidents. They’re inevitably going to happen. What’s crucial is building the readiness to protect what matters when they do.


So what does readiness actually require in practice?

It means explicitly mapping cyber risk to revenue-critical processes, defining what success looks like in the first hour of disruption, and translating technical risk into business outcomes leadership already understands.

It means demonstrating readiness through realistic tabletop exercises and simulations to understand where security teams stand beyond the theory.

It means using AI to remove friction without replacing human judgment, and extending security thinking beyond your own perimeter to customers and partners.

Most importantly, it means prioritizing people, process, and technology together, so that we’re measuring and driving continuous improvement that’s grounded in reality.

If you found this conversation interesting and want to see how TryHackMe helps teams build real-world cybersecurity skills, take a look at our business offering.