Cybersecurity is crucial for every business because a successful cyberattack can impact its reputation, trust, and stock price and incur additional losses due to damages and legal proceedings. In fact, a study in 2016 found that 60% of small businesses close within six months of a successful cyberattack or data breach. Another study found that cyberattacks averagely cost $200k to organizations. This confirms the importance of an effective cybersecurity strategy.
In 2020, most organizations have asked their partial or complete workforce to work from home following the public safety and social distancing guidelines. And the security teams are working their best to provide secure online access to the employees.
However, this unexpected and unprecedented adoption of the “work from home” model along with the increasing pressure of shrinking budgets for IT — especially cybersecurity — is increasing the vulnerability of businesses. “The coronavirus spread quickly but it’s possible cyber criminals moved even quicker in distributing all manner of pandemic themed lures and scams,” reported the Global Threat Landscape Report — a semiannual report by FortiGuard Labs.
Due to the ongoing uncertainty in the industry because of the coronavirus crisis, there are growing concerns about shrinking budgets. Though this calls for an immense focus on improving business value, it is not the right time to minimize cybersecurity budgets. On the contrary, it is high time to focus on and improve security posture for fighting against cyberattacks. But CISOs can find it difficult to secure required cybersecurity budgets because of the shrinking budgets — especially if the CISOs are unable to provide the ROI on the expenditure.
It means demonstrating cybersecurity strength with required evidence to prove its business value. Fortunately, there are some proactive measures and tools that will help solve this problem. CFOs, CIOs, and CISOs must work together to understand their efficiency at detecting and blocking threats every day. As businesses will transition back, they will face multiple challenges. The first step will be to identify the crisis and develop a crisis management strategy. The next step will be to gather relevant data to prove value optimization such as:
Benchmark: Businesses must benchmark their organization’s performance with the performance of their industry sector’s performance. With this comparison, the business will receive valuable insights into potential growth. If checking for cybersecurity performance, the industry standards can also be checked.
Security Validation: The most important task in cybersecurity is security validation, which helps to validate the security controls set in place. Security validation tools help in this rigorous task of measuring and validating security controls against rising security threats, which forms the baseline for planning the cybersecurity ROI.
These tools help assess and generate detailed reports on the performance of security controls and procedures along with duplicate tools and security gaps in the infrastructure. These reports help the top executives understand cybersecurity expenditures and the target areas where the present expenditure can be controlled or shrinked. As security validation is an ongoing process, security validation tools help to track the overall performance of the security controls, making it a lot easier to boost the cybersecurity ROI.
Threat Intelligence: There are various threat vectors including but not limited to credential theft, nation-state attacks, phishing, and social engineering. These vectors can operate at various levels at different times. The regular access and visibility of threat intelligence help businesses understand the crucial or regular threats and prioritize the controls to proactively manage those threats.
Organization Goals: Every business requires clear strategic goals that indicate short-term and long-term milestones and guide the whole organization. Every business must regularly assess these goals — it helps track current progress and guides the ongoing efforts to detect and block threats. As a result, it assists in improving in-place controls and processes, boosting the infrastructure.
With these guidelines in place, businesses will be able to adapt their budgets based on the organization’s current cybersecurity needs and in-place posture. It will help them make strategic budget cuts without compromising their security infrastructure. And though CISOs worry about cybersecurity budget cuts and its potential impact on their organization’s security posture, they must understand that overspending does not necessarily guarantee better cybersecurity.
“According to the Cybersecurity Market Report from Cybersecurity Ventures (via Cybercrime Magazine), worldwide spending on cybersecurity is predicted to top $1 trillion in 2021, which is great news for security vendors, but as spending on security grows, the number of successful breaches is also likely to grow, which is not great news for businesses,” wrote Forbes Business Development Council.
Cybersecurity needs not have bottomless budgets in organizations in the hopes of bulletproof cybersecurity. If a business requires such budgets, it is potentially making assumptions about the effectiveness of its cybersecurity posture. That is why cyberattacks have been rising for years — businesses are too confident of their cybersecurity controls without proper evidence. The solution is to follow the guidelines with a focus on security validation as it helps to assess and review the performance of security controls and provide evidence-based reports.
These measures and tools will help businesses make the right decisions and choose the most effective cybersecurity solutions. The results from security validation and threat intelligence tools will help prioritize their cybersecurity investments, thus improving their cost-effectiveness. Furthermore, teams and tools must be assessed for cost optimization. If there is a potential for boosting the effectiveness of security teams and/or processes and tools, businesses must invest accordingly to optimize them for maximizing the cybersecurity ROI.