By Ajay Singh, Author of CyberStrong! A Primer on Cyber Risk Management for Business Managers
Large and small companies struggle to determine if their cybersecurity investments are adequate or well-directed. The growing frequency of cyber threats and the impact of cybercrime have raised the importance of investing in cybersecurity as an essential survival and growth imperative. Companies recognize that a cyber-attack can mean a massive setback to their business, from temporary disruption to permanent closure. The average cost of a data breach in terms of economic and reputational losses can add up to US$ 4.24 million in 2021, according to reports. While the perils of not making investments in cybersecurity are widely known, the reasons for making investments may vary according to risk appetite, compliance with regulatory mandates, and security posture. Investments in cybersecurity should be considered as a cost of doing business.
Business leaders and owners are predisposed and trained in understanding the concept of return on investment. Their methods of evaluating competing investment opportunities and objectives of investing are seldom for defensive strategies for asset protection but productivity enhancement, business expansion, and metrics leading to revenue and profit growth. When it comes to Cybersecurity, it is as though it is an area of investment that is forced upon them by rising cyber threats to their business and the potential of adverse impacts on their business. In this scenario, it is difficult for management teams and Boards to determine what kind of cybersecurity investments are appropriate, adequate, and optimal. When it comes to cybersecurity, the tendency to optimize investments can be put to the test as threats can materialize and cause damage at any time.
Let us examine some of the investment philosophies (strategies and methods) that are in use for determining the quantum and timing of cybersecurity investments and evaluate their effectiveness:
The percentage of revenues method is a traditional method initially used to drive IT investments. Here companies use the rule of thumb way of allocating budgets which has been in use to give IT budgets for many years. Under this method, a percentage of revenues (typically between 5-10%) was considered the best way to allocate IT budgets. This same process is used for cybersecurity budget allocations, which are a percentage of the IT budget. With cyber risks rising every day, this method is usually ineffective in providing required security levels.
The Spray & Pray method is a way of allocating a cybersecurity budget to address a random set of risks that are currently the flavor of the day and investing without a cohesive strategy to enhance overall security posture. However, it may ward off a few threats and lead companies to believe they made the suitable investments and live in the hope that divine protection will be with us. Even if it has worked for some time, in the long term, it could compromise security and even cause more significant harm.
Knee-jerk investment method– here, the recency of a cyber-attack faced by the company, its associate companies, and industry peers may ring alarm bells and result in some knee-jerk reactions in the form of investments to stop similar attacks from happening to the company. Again, a short-term measure that provides temporary satisfaction and comfort may not be the best way to make cybersecurity investments.
Let us throw some money at the problem method is a way of making cybersecurity investments and happens when management teams and Boards do not have or spend adequate time to understand cybersecurity threats and issues and believe that allocating budgets is sufficient to buy the latest technologies and the problem will magically disappear. Such an investment strategy, if you can call it that, sounds ridiculous but is more common than we would expect.
This much and no more method is also a methodology borne out of ignorance, with cybersecurity budgets given more as a handout than being backed by any conviction or strategy. It is often based on a “head in the sand” approach that we have lived with the risks for so long, so a cyber-attack will not happen to us, and if it does, we have done our bit.
Fear of regulatory non-compliance-based investing is yet another method where the company, by allocating enough budget to meet compliance requirements, is convinced that it is safeguarded from cyber-attacks. The fear of non-compliance, fines, and penalties are excellent reasons to make cybersecurity investments, but security experts will tell you that you can be found wanting. Regulators cannot think of all threat scenarios on your behalf, nor is there a one-size-fits-all cybersecurity list that regulators can prescribe to keep you immune to cyber-attacks. Companies following this cybersecurity investment philosophy will do well to broaden their thinking and make investments based on their risk profile and risk appetite.
What returns can we expect method is practiced surprisingly in larger companies that want to see ‘returns’ for all investments made. In such companies, IT and Security teams use risk quantification to justify investment proposals and get budgetary approvals. While risk quantification has its merits in speaking the universal language of money that is understood by all when compared with using cybersecurity jargon, cyber risks are nuanced, and threat factors need to be well understood and addressed.
Get in a consultant method is usually adopted when other approaches to budgeting fail and the internal teams fail to justify their requests for budgetary allocation. Managements also use consultants as a cover for any future issues that may arise following a cyber-attack or data breach to prove that due diligence and proactive steps were indeed taken before the unfortunate incident occurred. Given the proper framing of terms of reference given to consultants, this method merits consideration.
Catching up with the rest of the crowd approach is another way cybersecurity budgets are allocated. Here is a study of how much competitors and industry peers are investing in cybersecurity and making similar investments in terms of dollars and security mechanisms.
Aligning investments to business risks and objectives business strategy is perhaps the best and most comprehensive method for allocating cybersecurity budgets. If you want your cybersecurity investments to count, you must use this investments strategy and factor in the following elements:
- Identify your top risks and protect your most valuable assets
- Think long term, look ahead, learn from the past
- Elements based investing – ensure that investment proposals include aspects like employee training, setting up Security Operations Center, Incident Response Teams
- Invest in implementing frameworks, standards, and best practices
- Consider cyber risks beyond regulatory requirements
- Invest in governance and monitoring systems along with the right technology set
- Do not forget risks from your supply chain
- Help ensure coverage of your biggest risks and mitigate risks through Insurance and other risk treatments
- Invest in employee cybersecurity knowledge and skill development
- Invest in building the capability and agility to fight the next, potentially unknown, threat vectors
Experts believe that following a balanced investment strategy- 30-40% of your cyber investments should be spent on protection, about 30% on detection, and about 30% on response and recovery represents a good mix and can help enhance the company’s overall security posture.
The question that begs to answer is, can a risk-driven investment strategy combined with a balanced mix of elements guarantee a company immunity from cyber-attacks? Unfortunately, the answer is NO! However, this kind of comprehensive and cohesive investment philosophy will ensure that you are in a better position to deal with cyber-attacks and mitigate the losses and damage in the attack.