Security, Revenue, and the Cost of Getting It Wrong

When a data breach happens, the first conversation in most organizations is about the technical failure. Which system was compromised. Which endpoint wasn’t patched. What the attackers got in through. Those conversations matter. But Dean Sapp, Chief Information Security Officer at Filevine, argues that they miss the bigger question: what does a breach actually cost the business, and is the organization treating security as a strategic function or just a technical one?

Sapp has been in cybersecurity for more than 30 years. He holds a graduate degree from the SANS Institute, serves as an expert witness in cybersecurity in the State of Utah, and oversees both security and corporate IT at Filevine, a legal operations platform used by approximately 5,000 law firms. In Episode 009 of Go Beyond the Connection, he sits down with host Steve MacDonald to lay out what IT leaders need to know from a CISO’s perspective.

The Ponemon Institute and IBM publish an annual Cost of a Data Breach report, and one of its core findings is stark: companies that experience a material data breach can lose more than 40 percent of their customers, and they can lose them overnight. Sapp uses that figure not as a scare tactic but as a framing device. If a business is thinking about cybersecurity only as a technical risk, it is missing the revenue volatility story that boards and shareholders actually care about.

He draws a direct line between IT leadership, network uptime, and customer trust. The CIA triad of confidentiality, integrity, and availability is not just a security framework. Availability, for example, maps directly to the ability to serve customers. A ransomware attack that encrypts a firm’s files and takes its systems offline is not only a security event. It is an operational shutdown with measurable revenue and reputational consequences.

Why Security Leaders Lose the Room

Sapp identifies two reasons why security professionals often fail to earn influence inside organizations. The first is being “Doctor No” — defaulting to blocking new technology rather than finding ways to deploy it safely. The second is a language gap. Security professionals who do not understand EBITDA, net dollar retention, or customer acquisition costs cannot make the business case that executive stakeholders need to hear.

“One of the cheapest ways to get a good handle on your security posture is to try and get a $10 million cyber liability insurance policy, because the insurance companies are so good at quantifying risk.” — Dean Sapp

His own path went in the opposite direction. He started with a business degree before pursuing technical credentials, which gave him the fluency to translate risk into revenue terms. His advice for IT leaders: learn to frame every security conversation in the language of the people across the table.

What You Will Hear in This Episode

• Why a data breach is primarily a business continuity and revenue event, not just a technical failure
• How to move from being “Doctor No” to becoming a strategic enabler inside your organization
• Why traditional on-premise networks, including Microsoft Active Directory and Exchange, can no longer be adequately defended
• A real-world ransomware case involving a law firm that lost every local system and backup but kept operating because of cloud-based data migration
• The CIA triad explained as a business risk model, not just a security checklist
• The cheapest way to assess your security posture: applying for a cyber liability insurance policy

The Bigleaf Connection

Everything Dean Sapp describes in this episode connects to a single underlying truth: network reliability and security posture are inseparable. When Sapp talks about availability as a core pillar of information security, he is describing exactly what Bigleaf Networks is built to protect. Businesses that rely on multi-location connectivity, cloud applications, and distributed teams cannot afford the operational exposure that comes from a degraded or compromised network. Bigleaf’s SD-WAN and traffic optimization technology ensures that when something goes wrong at the network layer, traffic is intelligently managed and uptime is preserved. That is not a separate problem from security. It is part of the same continuity equation.