How to invest wisely in cybersecurity
By Yasar Yüzer, Director, Cybersecurity, Mastercard Advisors
Massive cybersecurity breaches seem to grab the headlines daily. Many organizations have invested in the tools and policies to prevent cyberattacks—the average company deploys 47 security tools to protect their IT systems.1 But cyber criminals are exploiting organizational silos, remote workers, the supply chain, and national borders to undermine the safety and security of critical systems.
They’re proving to be especially adept at breaking through cracked or exposed credentials, which account for 99% of losses.2 Criminals are largely able to penetrate our defenses by exploiting a network of digital connections—between businesses, governments and people. And behind every digital connection is a human connection, each responsible for the security of data, the safety of an email, the authenticity of information and the accuracy of a transaction.3 Amid the current pandemic, the number of records exposed in data breaches in 2020 more than doubled compared to the previous year.4
Organizations of every size and industry are investing in protecting themselves from cyberattacks, which requires more than simply throwing technology at the problem.
What information do security executives need to make informed investment decisions?
Understand the true cost of cybersecurity. Most cybersecurity costs are actually hidden in IT infrastructure budgets, such as network segmentation, data protection, and endpoint protection technologies. Further, functions not expected as cybersecurity investments may have a sizable impact: Imagine human resources or training departments spending time planning security awareness trainings and the time it takes for each employee to complete those trainings. Finally, while investments in cybersecurity may seem substantial, the long-term damage of a data breach to a company’s reputation and relationships with customers can be far more devastating.
1. Assess your cybersecurity capabilities and control mechanisms. To be effective, cybersecurity investments depend on the people and processes that manage them. Also, not every cybersecurity issue can be addressed by software. Industry standards—such as ISO27001, the NIST cybersecurity framework, and CIS controls—can help organizations assess their overall cybersecurity posture. For many organizations, the expertise, disciplined methodology, resources, and objectivity of an external partner can help ensure a more accurate assessment, with greater probability of successful implementation, while actually reducing expenditure and effort.
2.To know your enemy, you must become your enemy. Building solutions that look at security gaps from a hacker’s point of view can help identify hidden threats and mitigate against cyber risk. Knowing which assets in the organization are most valuable will also help identify what the enemy is after. Equally important is understanding all the access points into the organization, both internally and externally, including third-party partners and vendors. As in real life, one must first prioritize closing gaps for controls protecting the most valuable assets with the greatest risks. Involving business owners in defining these critical assets will help them understand the risks better. It will also lead to a more precise definition of requirements and ensure alignment and open communications between cybersecurity and business functions.
3. Build a solid cybersecurity strategy and plan. Once initial assessments are complete, a solid strategy and plan will enable the organization to proactively manage and minimize cybersecurity threats. This plan should:
- Span multiple years, while monitoring the threat landscape to adapt the strategy to changing conditions
- Map business priorities and the severity of the risks to the policies, procedures, and tools selected for the plan to meet its objectives Include a detailed description and expected outcomes for each initiative
- Set quantifiable key success factors for each defined milestone, both from technical and business-outcomes perspectives
- Be communicated to executive management and actively engage all stakeholders to ensure alignment and buy-in
4. Define a realistic budget. To build an ecosystem where every digital connection becomes a trusted one requires a holistic approach to cybersecurity that addresses challenges from within an organization and from outside. It requires not only IT investments, but behavioral changes, new ways of thinking and working, and training. Since every project will require additional personnel and processes to operate once completed, the budget should also include transition costs and ongoing operational expenses after the project
Like every business investment, cybersecurity expenditures should have a quantifiable return on investment. While a cost-benefit analysis can reveal if the risk mitigation effect is greater than the expected cost of potential breaches—the average cost of a single data breach in 2020 was $3.86 million 5—the potential harm to an organization can be much greater, and its effects may be felt for months or years.
Calculating the potential cost of breaches only by the value of the compromised asset does not account for such factors as loss of reputation, loss of existing and new business, loss of revenues, regulatory fines, stock price fluctuations, and cost of recovery.
As organizations digitize nearly every aspect of their businesses, cybersecurity risks will grow and change simultaneously. Investing in cybersecurity isn’t limited to threat detection and isn't a one-time decision. Success requires a review at least annually, stress testing to ensure effectiveness of incident response, continuous monitoring of the threat landscape, and ongoing training. The best time to start is now.
2Information Risk Insights Study Tsunami, “Following the wake of damage from major multi-party cyber incidents.” RiskRecon, Mastercard, Interors, Cyber GRX
3Mastercard report, Cyber’s Human Condition, 2020
4Risk Based Security, 2020 Year End Data Breach QuickView Report, 2021.
5Ponemon Institute, sponsored by IBM, Cost of a Data Breach Report 2020.