A basic but troublesome aspect of cybersecurity is determining how to defend against today’s barrage of threats. As attack surfaces grow, perimeters disappear, and cybercriminals become savvier, it’s increasingly difficult to determine how and where to focus security attention—and dollars.
“Measuring ROI in the cybersecurity arena is difficult because the main goal is to avoid a breach. Beyond this metric, it’s extremely difficult to measure success,” stated Paul Calatayud, chief security officer, Americas, for Palo Alto Networks. Added Kevin Richards, managing director and North America lead for Cybersecurity at Accenture: “Cybersecurity investments must focus on aligning strategies and protections with real-world risks.”
How can executives transform cybersecurity spending into maximum return on investment? How can they ensure that the chosen solutions provide the best possible protection? While there are no simple answers, it’s clear that the right framework can greatly reduce risk while ensuring that dollars are put to maximum use.
The goal for any organization is to achieve the best possible protection at the best possible cost. “More money and more investments don’t necessarily translate into better protection,” observed Drew Morefield, head of the North American Cybersecurity Practice at consulting firm Capgemini. Yet, at the same time, he said, many organizations under-invest in cybersecurity. “They lack the tools to combat threats on a consistent basis.”
Here are five steps your organization can take to increase the odds for success:
1. Assess your data. Not all data is equal. Applying a blunt-force approach always results in overspending—with no guarantee that critical data is any better protected. A starting point for navigating cybersecurity investments is to understand the value of data and the risk tolerance of the enterprise. This helps determine the type of controls an organization requires, including things such as role-based authorizations, authentication methods, and encryption.
“Increasing both the relevancy and the effectiveness of cyber-specific investments has everything to do with data discovery and data classification,” stated Morefield. “Taking a reverse-engineered approach from the data outward to the network, systems, and specific controls and solutions is an efficient way to approach the challenge.” In a best-case scenario, he added, the resulting information can lead to dramatic improvements in compliance and data-governance strategies—and bring about gains in the software-development lifecycle.
2. Analyze your security environment. Many organizations remain mired in a legacy approach to cybersecurity. Simply put, they focus on tools such as firewalls, malware protection, and data-loss prevention (DLP). However, according to Accenture and Ponemon Institute’s 2017 Cost of Cyber Crime Study, a huge mismatch exists. For example, the study found that the biggest security investments for organization revolved around perimeter controls, such as next-generation firewalls. However, in terms of what actually was most effective for stopping cybercrime, that approach ranked number five.
“It represented the biggest expenditure but landed in the middle of the pack in terms of results,” Richards explained. The biggest ROI was related to security-intelligence systems, automation and orchestration, and machine learning. Cyber-analytics and behavioral analytics also ranked high. The takeaway, Richards said, is that leaders must rethink priorities and better understand what delivers protection and ROI. “Some of the things people think are important really aren’t. The cybersecurity environment has changed.”
3. Build appropriate controls and protections. The perimeter is long gone, and clouds, IoT, and other systems have changed the boundaries and rules, Palo Alto Networks’ Calatayud said. Signature-based cybersecurity tools that rely on blacklists and whitelists are increasingly ineffective. However, “Once a business has assessed and analyzed the environment—and introduced appropriate metrics—it’s possible to align a cyber-security framework with the appropriate level of risk.” At the same time, metrics and alignment can help achieve buy-in from the C-suite and other key business and IT leaders. Key metrics include how a company compares with competitors and the overall industry. “There is no such thing as perfect security, but it is possible to be better defended than others,” Calatayud explained. That’s important because attackers often look for soft targets.
Key focus areas include data governance, roles, authentication, and encryption, along with more robust controls that slide the dial toward “prevention and remediation,” Morefield explained. This framework might encompass behavioral-analytics tools that watch for unusual user or network behavior (including spotting insider threats), and machine learning to better orchestrate and automate various tools and controls. It might also tap more advanced biometrics and better application security. The latter is particularly important, Richards said. By reducing coding flaws, it’s possible to dramatically decrease potential breaches.
4. Don’t neglect the basics. One of the least expensive ways to maximize security and minimize costs is to focus on basic blocking and tackling, which far too many organizations neglect. For example, “Patching and configuration management are nothing new, and they are constantly discussed in context with cybersecurity. Yet many organizations continue to fall short,” Richards said. Another relatively inexpensive way to ratchet up protection is through multifactor authentication, which is also underused. “Many breaches are completely avoidable by introducing another layer or two of authentication and approval,” Morefield pointed out.
Penetration testing and pressure testing are also valuable tools that don’t break the bank. Yet another critical area involves training—particularly about good data-handling practices and avoiding social-engineering techniques. “Training doesn’t have to be terribly expensive, and it is very effective at reducing cybersecurity problems,” Morefield added. In fact, he said that organizations can often save hundreds of thousands of dollars or more by eschewing technology in favor of an insider threat-management program and other training.
5. Recognize the business benefits. Although it might not be possible to measure direct ROI for every aspect of cybersecurity, this doesn’t mean that ROI doesn’t exist. “You might not see the traditional return you achieve in other parts of the business, but cybersecurity is an investment in organizational quality and operational efficiency,” Richards pointed out.
Areas such as application security are particularly important because customers, partners and others make decisions based on the image of a company. Apps that crash or infect systems can tarnish a company’s brand and result in lost sales, as well as possible fines or lawsuits. Said Morefield: “There’s no business benefit if you beat a launch date by three days but deliver code that isn’t secure.” Best-practice organizations understand that security is ultimately a competitive advantage and a differentiator. What’s more, you’re able to establish a framework that supports DevOps and agile frameworks. These methods often lead to innovation and generate revenues.
The end goal for any organization is to optimize investments through a combination of people, processes, and technology, Morefield concluded. “When you have sound metrics in place, along with the right framework for data classification and governance, choosing the right protection methods, controls, and technologies becomes a lot easier.” While there is no way to ensure that systems are bulletproof, it is possible to ensure that an organization’s “risk posture is in line with its level of risk tolerance,” and that it has the best possible security protection without breaking the bank.