A Cybersecurity Program is not Insurance…
…it’s an Investment.
Getting pulled over and found without auto insurance can cost you hundreds, but getting caught without cybersecurity can cost you millions.
Cybersecurity is more than meeting compliance, regulations, laws, and standards, it is about sustaining your business in this competitive landscape. Without effective cybersecurity tools and best practices in place (i.e. appropriate patches, periodic scans, or hardened network devices) the likelihood of data loss or intellectual property leaks as result of hacks, ransomware, viruses, or simple human errors in data management increases substantially, thereby reducing an organization’s profitability, market value, trustworthiness, and ability to be competitive.
Understanding that data is a product, service, or good, and efficient management of such data can provide profit in the billions of dollars, companies will begin to grasp the importance of data protection that cybersecurity standards and controls provide.
So how do we measure the return on investment (ROI) for cybersecurity initiatives? How can an organization balance the costs of sophisticated security technologies and communicate the benefits they provide? Some simply state, “Potential cyber breaches and their consequences justify the upfront and ongoing expense required to prevent its occurrence.”
Many large enterprises use a risk assessment approach and current research among like organizations who have been compromised to identify the likelihood, impact, and threats associated with various risks. These values provide a what-if scenario and cost analysis for not implementing or controlling the data flow appropriately. However, small and midsized businesses (SMBs) with limited resources face challenges in obtaining, applying, and managing cybersecurity standards and controls and have bigger challenges and understanding and communicating the investment of cybersecurity. In many cases, they also lack the research to compare potential impacts of data loss for their organization.
Most executive leaders have a good grasp of market risk, financial risk, operational risk and so on, but lack the knowledge of cyber risk, especially for new businesses who have yet to gather metrics to identify potential threats. Executives and board members need reliable data to make informed strategic decisions. Using language such as ‘could,’ ‘may,’ and ‘most likely’ provide sound insight but lack confidence and true justification. “…many key decision makers still insist on seeing real, measurable results in order to justify the value of having an established, solid threat detection plan in place.” All things considered, trying to calculate and communicate a return on investment for cybersecurity is a poor and in many cases unrealistic approach.
How much are they willing to spend, to save?
This is perhaps the foundational question in balancing cost and benefits (or potential benefits) for cybersecurity strategies. Security professionals love to use scenarios, case studies, or simple metaphors to express the meaning and justification for various tools and technologies used to secure and manage enterprise intellectual property and consumer data. For example, why purchase locks and security monitoring systems on a home? What if during the lifetime in a residence no one ever tries to enter the home unannounced; does this still justify the expense accrued over the years for the lock and security system? When relinquishing the residence, is there truly a return on investment? Americans spend thousands of dollars a year on home security systems for peace of mind, because let’s face it, if a bad guy wants in, they will get in. This follows true in cybersecurity as malicious actors will find a way regardless of the measures put in place, but for some organizations (very few) a breach may never occur. However, the role of cybersecurity is not necessarily to keep bad guys out, but to limit what they can access or exploit, to reduce reaction time or mean time to resolution (MTTR), to demonstrate the organization’s diligence, competency, and trustworthiness with consumer data, and ultimately to train and educate internal employees on proper use of data.
Investing in cybersecurity improves productivity and saves money. One could argue that it also increases profitability as it communicates to consumers trust and reliability. It not only saves money from what could happen, but from what does happen. According to a recent article “…the major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris. These human forms of malware can be present in any organization and are every bit as dangerous as threats delivered through malicious code.” Security awareness training for employees on how to properly manage, store, and transmit data provides data proficiency and control that positivity impacts productivity. Data is available and reliable at critical moments, is transmitted securely with integrity to persons of interest, and is stored and backed-up for quick recovery. Investing in the right cybersecurity tools and technologies provides business leaders a peace of mind in operations and management of digital information or revenue streams.
According to Murphy’s Law, bad things can and do happen. Whether external or internal a compromise of intellectual property may occur. With the right cybersecurity investments, the root cause can be identified, data can be tracked, and recovery operations can be underway in minutes. Companies have spent hours, weeks, months, or years trying to determine how an incident occurred, what data was compromised, and how to prevent or reduce the reoccurrence of the incident. “It is estimated that about 60 percent of MTTR is spent determining the root-cause of the actual problem.” Cybersecurity tools can save thousands of man hours by reducing the MTTR and getting operations back into production. A key strategy to investing in cybersecurity is to consider the most impactful cyberthreats that are likely to occur and apply appropriate measures to not simply deter but recover quickly and with little disruption to business. This is where cost savings really shines!
A key takeaway is to treat cybersecurity as an investment in meeting business strategies with little friction from the ongoing cyberwar. It is not to be treated as an insurance policy or broken down in such a way that a hypothetical ROI can be established. These misconceptions for building a cybersecurity program can lead to disappointment from employees, loss of support from leadership, and misrepresentation of the true value cybersecurity is bringing to the workforce. Executing cybersecurity programs and strategies is a valuable investment opportunity that will improve productivity and increase profitability for the business; by saving money, saving time, and integrating efficiencies in operations.
References
1. http://searchcio.techtarget.com/news/450419414/Not-investing-in-cybersecurity-has-inverse-ROI
2. https://cybersponse.com/2942-2
3. https://ayehu.com/calculate-roi-cybersecurity-threat-defense/
4. https://www.forbes.com/sites/gilpress/2017/07/10/leveraging-ai-to-maximize-cybersecurity-roi/#3d81c29539e4
5. https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/small-businesses-investing-cybersecurity/
6. https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training
7. http://business.financialpost.com/technology/companies-see-the-cyber-threat-but-spending-on-security-is-a-different-matter/wcm/6587b090-4936-48f9-80e1-e57ce22b8ccf
8. http://www.csoonline.com/article/3084887/leadership-management/philosophy-plato-and-cybersecurity-as-a-public-service.html
