September 18, 2019
September 18, 2019
For many directors and business executives, cybersecurity spending has long been a mystery. Understanding where to invest, how much to invest and, most importantly, the return on that investment has been largely a guessing game. It is also how cybersecurity has earned the reputation of being a “black hole of spending”—chief information security officers (CISOs) continuously request more budget to stay apace of the constantly changing threat landscape, but there is little clarity around how that budget actually delivers value to a company.
If cybersecurity is a black hole, then it is also expanding rapidly while devouring ever-more money. Gartner projects that spending on cybersecurity products and services will hit $124 billion in 2019, an 8.7 percent year-over-year increase. This dwarfs Gartner’s projected 1.1 percent increase in overall IT spending for 2019.
Much of cybersecurity spending has been on technologies built to identify and mitigate risks—and the tech industry has eagerly fueled this phenomenon: for every new threat, there’s a new technology to deploy and manage. This has created a cost and complexity problem in many enterprises. Organizations have deployed so many technologies to keep up with cyber risks that they struggle to manage it all, which, ironically, can leave companies open to attack when systems are not configured and supervised properly.
So today, we see a situation in which all of this spending on cybersecurity technology has not curbed the data breach epidemic, is not reducing enterprise cyber risk, and executive leadership and boards are struggling to understand how cybersecurity investments translate into tangible business benefits.
This situation must change. Organizational competency in cybersecurity impacts everything from customer trust, to competitive position, to implementing innovation and increasing earnings per share. The good news is, it is possible to manage cybersecurity like other business functions. It’s possible to quantify cybersecurity risk, and to understand the investment required to mitigate that risk. And, it’s possible to deliver the financial data required for company leadership to treat cybersecurity for what it is: a potential business driver.
The key to all of this is for companies to move away from their technology-centric approach to cybersecurity, and instead adopt a risk-centric approach. Instead of trying to combat every conceivable attack with technology, C-suite executives and boards should develop an enterprise cyber-risk model that identifies and prioritizes what most needs to be protected, from whom it needs to be protected, and what controls are necessary to deliver that protection.
Once that risk model has been established, organizations can make logical financial decisions around specific assets, focused on four dimensions:
With this type of return-on-control information, CISOs should be able to secure budgets and staffing when meeting with executives and board members. More importantly, with an economic framework around cybersecurity, executives can begin managing it like they do other business disciplines such as sales, marketing, and product development. Investment decisions can be made based on risk-analysis rather than best guesses, and cyber risk will become a measurable that can be reported to investors and the marketplace. When that happens, markets will reward the organizations that manage cyber risk most effectively and transparently.
Paul Lehman is chief information officer at Optiv.