Can cybersecurity offer value for money?

Internet cybersecurity

(Markus Spiske, Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Paul Stokes, Co-founder, Managed Security Forum, Prevalent AI


Cybersecurity looks like a waste of money. Companies set new global records with $37 billion invested in security in 2018, with spending expected to surpass $42 billion by 2020. Gartner research found that security spending per employee doubled between 2012 and 2018. And yet the bad guys are still gaining the upper hand. Cybercrime cost the world economy $600 billion in 2017, up from $500 billion in 2014. People are starting to question whether increasing budgets actually reduce cyber incidents.

Nor is the problem is a lack of awareness. UK government research found that the perceived importance of cyber-risk among FTSE350 companies has almost tripled in five years, proving that the most powerful decision-makers in UK business are concerned about security. The UK is no outlier, either, as the 2019 WEF Global Risk Report has cyberattacks occupying the fourth and fifth spots for international risks most likely to increase.

When we rule out investment and intent as the reasons behind our collective failure at security, we are left with implementation. Is there something wrong with the way that well-meaning professionals invest growing security budgets that prevents us from improving our cyber-resilience?

The first thing to consider is how cyberdefences are formed. A company’s security apparatus typically grows iteratively, with employees, tools and procedures added in response to changing budgets, threats and regulations. It is easier in the short-term to deal with emergent threats reactively rather than revisit the entire security strategy. Over time, this has led to an excessive number of tools, many of them point solutions, and this progresses into security teams that are overwhelmed by alerts, lacking a cohesive strategy and in a constant state of firefighting.

Addressing this vicious circle requires an adaptive framework that is agreed by a company’s senior management and implemented across the organisation. The most effective approach is a structured cyber-risk management framework, where security threats are expressed in terms of financial risk to a business and the cost of mitigation. When used correctly, it leads to security spending being informed by risk specialists in the C-suite such as the CFO, CRO and even CEO. The next progression to make spending more efficient is to track the return on investment in cyberdefences, to allow companies to better prioritize investment and provide more accurate reporting on their security posture.

From risk management to ROI

Cyber-risk management stems from a philosophy of oversight that demands metrics to inform decisions as well as to assess them in retrospect. Security has historically struggled with this concept, as chief information security officers (CISOs) who have not suffered major incidents are unable to make the case for greater investment, and those who weathered breaches and attacks are forced to pay “security penance” and overspend in the aftermath. Measuring return on investment resolves both situations.

The first step to measuring ROI is to quantify security risks. One approach to this is to use a Value at Risk (VaR) approach, such as the FAIR framework. The results of the quantification can then be represented in a loss exceedance curve. These plot the likelihood of sustaining a loss in a given year against the financial cost that would be sustained. In other words, the loss exceeded by an event compared with the chances of that event taking place.

The second step is to compare the forecast losses against a company’s agreed risk appetite, enabling the organisation to decide where to invest in mitigations to reduce the risk to an acceptable level. Finally, once these mitigations have been implemented, the same risks are then quantified again using the VaR approach, comparing before and after, in order to assess the return on investing in the mitigations. This is best illustrated using a loss exceedance curve:

The above example can be used to determine ROI on an investment in security. This is done by plotting the inherent risk before the investment took place, using a VaR model to quantify it, and then comparing it with the agreed risk tolerance. If the risk is above the tolerance, then after any mitigations are in place, the risk is calculated again. The before and after curves are then compared to determine ROI.

Only a quantitative approach such as this can ensure budgets are spent in the most effective way, with the highest impact investments. It prevents reactive spending by building oversight into the investment process, and taps into senior expertise by presenting security in the language of business and risk. This approach can then be used to continuously monitor security projects as they progress, both through implementation and then over time once they are live.

ROI requires continuous quantitative data

Most organizations rely heavily on static tests such as vulnerability scans and penetration tests to determine cyber-risk. These are useful exercises, but are not enough in themselves.

Qualitative assessments based on subjective factors, another common approach, often do more harm than good when measuring ROI. Some CISOs protest that quantitative data is not always available, and soft scoring can provide a “feel” for security posture, but these methods rarely alleviate a lack of data in a highly complex field, while they can often obscure it.

Dynamic, quantitative data is required to provide boards and executives with the information needed to make informed decisions about security investment. This quantitative data needs to be up to date. As ESG’s Jon Oltsik explains in Oltsik’s Law, you cannot measure a dynamic environment with static data. Risk scoring, and resulting Return on Investment analysis, need to be based on continuously updated data.

Risk in real terms

UK government research shows that just one in three FTSE350 companies has even agreed security risk appetite and communicated it to staff. And that is based on self-reporting; the real number is likely to be lower. There is still a lot more waste than measurement in security. Yet it is clear that change is under way, with Gartner naming risk appetite statements as one of its top seven security and risk management trends for 2019.

Cyber-resilience is a moving target, and sometimes it can be hard to tell if a company is even moving in the right direction. Determining ROI allows for tangible, clearly defined measurement of progress that is understood throughout the organisation. For some companies this means demanding continuous risk reporting on security initiatives with full board oversight, while others might start by progressing from qualitative heat maps to quantifiable risk metrics.

The ultimate goal of cyber ROI is to maximize investment and reduce risk. This includes tapping into the expertise of the board and building towards a shared language of risk and ROI, which can only be done when risk and ROI are accurately and continuously measured. When done correctly, the value of security investment is plain to see.

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

These are the fastest trains in the world

CHINA UNLIMITED. PEOPLE UNLIMITED. RESTRICTIONS LIMITED

On Brexit: the outcome of UK elections next May to be based on false promises?

Ministers for Youth miss the opportunity to improve social inclusion of young people

This is Amsterdam’s ambitious plan to turn its transport electric

Palestinian children’s education deeply impacted by ‘interference’ around West Bank schools, UN warns

EU-India summit: Will the EU manage to sign a free trade agreement with India before Britain?

Number of MEPs to be reduced after EU elections in 2019

Why Africa must be ready to take the quantum leap

VAT Gap: EU countries lost €137 billion in VAT revenues in 2017

Sign language protects ‘linguistic identity and cultural diversity’ of all users, says UN chief

Further reforms will move Slovakia toward a more innovative and inclusive society

Our food system is no longer fit for the 21st century. Here are three ways to fix it

UN chief calls for ‘far greater support’ for Cyclone Idai response

Northern Bahamas ravaged by ‘disaster of epic proportions’ as UN releases $1 million in emergency funds

ACP-EU Parliamentary Assembly: strengthening the partnership

Why Eurozone’s problems may end in a few months

Science is ‘key’ to pushing forward the 2030 Agenda, UN development forum told

Why we need a moderate approach to moderating online content

UN and Red Cross chiefs appeal for end to use of explosive weapons in cities

Promoting rule of law and fundamental rights in the EU

Cancer is a growing global threat and prevention is key, UN study shows

From a refugee camp to Davos: one Co-Chair’s story

ECB will be the catalyst of Eurozone’s reunification

General Assembly officially adopts roadmap for migrants to improve safety, ease suffering

WEF Davos 2016 LIVE: “If we do not do properly the Paris agreement, then all 16 remaining goals will be undermined”, UN Secretary General Ban Ki-moon cautions from Davos

These are the world’s best countries to retire in, as of 2019

Blockchain can change the face of renewable energy in Africa. Here’s how

Ceasefire holds in Tripoli, but core problems remain, says UN Libya mission chief

Medical workforce migration in Europe – Is it really a problem?

The Banking Union may lead to a Germanic Europe

‘No justification’ for attacks against civilians, UN envoy says on mounting cross-border violence in Gaza

Why education and accountability are important for developing countries?

What could a no-deal Brexit mean for developing countries?

Evidence shows ‘brutal’ killing of Saudi journalist ‘planned and perpetrated’ by State officials: UN independent expert

Amazon sinks while our breath sinks

Energy of African youth ‘propelling’ new development era as UN ties bear fruit

UN global counter-terrorism strategy review an ‘overarching vision for the future’: Assembly President

Brexit: No deal without marginalizing the hard Tory Eurosceptic MPs

A young European voice on Grexit: too high a bill and too big a deal!

Innovation is the key to the pay-TV industry’s long-term growth

Will Europe be able to deal with the migration crisis alone if Turkey quits the pact?

Ensure that widows are ‘not left out or left behind’, UN chief urges on International Day

UN chief welcomes re-opening of key Gaza border crossing

Press coverage of migration crisis in Europe: a call for collaborative action

The European Agenda on Migration: EU needs to sustain progress made over the past 4 years

Macron in St. Petersburg didn’t oppose Trump on Iran, in Putin’s presence

EU’s Mogherini visits Turkey “to step up engagement” and highlight interests

Sri Lanka PM: This is how I will make my country rich by 2025

Jo Cox’s murderer believed the ‘leave’ campaign leaders that the ‘remain’ vote is treason

It’s just electronic cigarette, don’t worry?

Cities are easy prey for cybercriminals. Here’s how they can fight back

End ‘shame, isolation and segregation’ of fistula sufferers, urges UN reproductive health chief

JADE Spring Meeting Live Coverage: Entrepreneurial skills in the digital markets

Assault on key Yemeni port would endanger 300,000 children and ‘choke off’ aid for millions more: UNICEF chief

“Is Europe innovative? Oh, Yes we are very innovative!”, Director General of the European Commission Mr Robert-Jan Smits on another Sting Exclusive

Civilian death toll continues to mount in Syria, UN relief chief tells Security Council

Yanukovych attempts a violent and deadly cleansing of Kiev’s center

Thursday’s Daily Brief: Press Freedom Day, Tuna Day, cultural dialogue, #GlobalGoals awards, updates on Syria, Somalia, Mali

‘Agile’, multilateral response vital to combat terrorism – UN chief Guterres

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s