Getting A Return On Cybersecurity Investment

Uploaded on 2024-10-26 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Financial

How do you measure what you cannot see? This is the conundrum facing countless businesses as they grapple with the current cybersecurity landscape.

Too often the real value of a cybersecurity tool isn’t realised until a business becomes the victim of a data leak or breach. A successful cyberattack is also the moment when many businesses finally realise that their cybersecurity solutions aren’t up to par, or that they’re lacking focus in a specific area. 

This retroactive approach to cybersecurity is extremely damaging to businesses, so much so that it has prompted the UK government to consider mandating specific cybersecurity objectives for private companies to keep their data and employees safe. Those mandates are yet to materialise, but in 2024 the government did progress its Cyber Governance Code of Practice to help business boards shore up their cyber resilience. Similar efforts are being seen internationally. In the European Union (EU), the updated NIS2 Directive now imposes stricter cybersecurity requirements across industries, requiring companies to report incidents and implement measures to mitigate risks. Meanwhile, the US Securities and Exchange Commission (SEC) has introduced rules obligating publicly traded companies to disclose incidents in a bid to enhance transparency and accountability.

The problem businesses are facing is twofold: How do you select and measure the return on investment of cybersecurity tools, and how do you get buy-in at every level of the business to ensure that cybersecurity is more than just an afterthought? 

The cybersecurity marketplace is a confusing area for businesses. There are more than 5.5 million businesses in the UK, and around 99% of those businesses are classed as SMEs. Among those SMEs, 90% are “microbusinesses” or sole traders. While small businesses and start-ups might have the drive, ambition and agility to move quickly and respond to market demands, they almost always lack the knowledge and experience to effectively implement cybersecurity solutions that align with their objectives.  

In a 2024 survey, Zivver asked 250 security decision makers about their primary security challenges. Nearly half (47%) said they found it difficult to keep up with data security technologies, more than one-third (39%) cited regulation and compliance as a key concern, and 36% said they were concerned about a lack of security awareness and understanding among employees.

This is troubling, particularly when you consider the sheer number of applications, end-points, and distributed workers that businesses now typically deal with.

According to one report, more than 50% of employees have seen the number of collaboration tools in their company increase in the last two years – that opens the door to a lot of potential threat vectors, particularly where outbound threats such as data leaks and human error are concerned. 

Outbound Versus Inbound Threats

Measuring the return on investment for cybersecurity tools is complex, but at least where inbound threats are concerned – external threats where businesses are targeted or impacted – there are some useful KPIs that can be tracked. For instance, a business with integrated cybersecurity might be able to track how many threats were identified on their network in a given period of time and infer the effectiveness of their tools. There will still be challenges associated with communicating or “proving” these benefits to leaders in the boardroom, but it is easier to build a persuasive case. 

That case is more difficult to make when it comes to measures closely associated with stopping outbound threats. Outbound threats refer to instances where sensitive data leaves the business in an unauthorised fashion. Sometimes this is purposeful, such as a disgruntled employee stealing or leaking data, but more often it’s accidental – an erroneously sent email, a laptop left unguarded, or a phishing scam orchestrated by a third party that tricks an employee into revealing sensitive information.

To mitigate outbound threats, businesses need to consider things like employee awareness training, blocking untrusted domains, and intelligently filtering emails. It’s often much harder to gauge the efficacy of these measures, and too often businesses blame the human workers involved rather than the systems or cultures within the business. 

Humans Are Both The Strongest & Weakest Link

Humans are really the last line of defence for an organisation. They can be easily scapegoated as a weak link, but with the right tools and training in place they can easily be turned into the strongest link in an organisation’s defensive chain.

Bridging the gap between users and technology,  is the real key to unlocking cybersecurity returns. 

Take emails as a specific example. 80% of data leaks are caused by employee behaviour, where sensitive data is leaked, lost, or shared with unauthorised individuals. What’s more, two-thirds of organisations impacted by email-based data loss have to cease operations to mitigate the risk and remediate the threat. Organisations can train employees to spot phishing emails and put guidelines in place to ensure that data is only shared between authorised parties, but it’s almost impossible to gauge the ROI of these measures because their influence is qualitative rather than quantitative. But if that same organisation were to add a form of technology into the mix, such as automatic encryption or machine-learning algorithms that can detect sensitive content or attachments and provide a warning before emails are sent, the return on investment becomes clearer. This human-technology bridge can offer metrics such as how many emails are being sent with encrypted information, where potential breaches may be about to occur, and how compliant the company’s email protocols are with its overall security posture. 

This technology can empower humans to become one of the strongest links in the defensive chain, and part of this empowerment is gaining visibility into key metrics so that the efficacy of their cybersecurity strategy can be more accurately measured.

Cybersecurity Isn’t A box Ticking Exercise, It’s A Culture

A big part of measuring the ROI of preventative cybersecurity is getting buy-in from leadership and the vendors themselves. Frank mentions the need for daily maintenance and validation to ensure that a solution is performing as promised and is still up to par. By asking vendors whether they are compliant with ISO 27001 (an international standard that outlines requirements for information security management), Frank argues that businesses are practically 80% there when it comes to selecting a suitable vendor. 

Another key factor is business culture. Too many businesses have a culture that punishes staff for clicking on a fraudulent link or falling victim to a phishing scam. Far from being productive, this only makes it less likely that staff will come forward when a mistake is made, leaving more time for damage to occur and less time for incident management and control. No amount of technology will fix this; it’s vital that businesses create a pro-people culture when it comes to cybersecurity if they are to see any kind of return on their cybersecurity investments.

Organisations should create a baseline of transparency and trust, where employees feel safe in putting their hands up when they’ve made a mistake before they consider investing in supplementary tools to keep their data safe. 

Treating employees as a “risk that needs to be mitigated” is old-hat thinking. Employees shouldn’t be blocked from accessing key information or working efficiently under the guise of “good” security. Instead, IT leaders should pivot toward cybersecurity solutions that can keep data safe without disrupting workflows, monitoring the flow of information and ensuring those that need access have access. 

Viewing employees as a "risk that needs to be mitigated" is an outdated approach and can sometimes be more harmful to organisations.

Employees shouldn’t be restricted from accessing key information or working efficiently under the guise of "good" security. Instead, IT leaders should adopt a right-sized approach to security, tailoring protections based on the specific needs and risks associated with each employee's role.

Moving away from ‘one-size-fits-all’ methodology will ensure that data remains secure without disrupting workflows. By monitoring the flow of information and ensuring that only those who need access have it, organisations can balance robust security with operational efficiency.

Frank Horenberg is Head of IT at Zivver and and Simon Newman is a  Co-Founder of Cyber London

Image:  

You Might Also Read: 

Too Many Tools - Cybersecurity Professionals Feel Out Of Control:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Dark Data Helps Boost Business
Teach Your Children About Safer Cyber Security »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DriveLock

DriveLock

Our security solution is designed to prevent external attacks, which are evermore sophisticated as well as monitor, document and even prevent internal incidents.

CloudSigma

CloudSigma

CloudSigma, a pure-cloud IaaS provider offers flexible and innovative cloud hosting solutions for companies of all sizes both in Europe and the US.

Exostar

Exostar

Exostar is the cloud platform of choice for secure enterprise and supply chain collaboration solutions and identity and access management expertise.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

RIGCERT

RIGCERT

RIGCERT provides training, audit and certification services for multiple fields including Information Security.

CyberProof

CyberProof

CyberProof aims to give clarity and confidence to businesses worldwide using a new risk-based approach to cyber security services.

Nordic Cyber Summit

Nordic Cyber Summit

Nordic Cyber Security Summit addresses a wide range of technological issues from the IT Security spectrum and also provides a wider perspective from all aspects of the industry.

Blu Venture Investors (BVI)

Blu Venture Investors (BVI)

Blu Venture Investors is a venture capital firm that supports early stage companies with a focus on technology in diverse domains including cybersecurity, IoT, defense and homeland security.

Dell Technologies Capital

Dell Technologies Capital

At Dell Technologies Capital we lead investment in disruptive, early-stage startups in enterprise and cloud infrastructure.

Semmle

Semmle

Semmle's code analysis platform helps teams find zero-days and automate variant analysis. Secure your code with continuous security analysis and automated code review.

Panther Labs

Panther Labs

Panther’s mission is to make security monitoring fast, flexible and scalable for all security teams.

Advantage

Advantage

Advantage exists to provide peace of mind in an evolving technology reliant world. We were created by visionaries who for nearly 4-decades have been passionate about providing world-class solutions.

Debevoise & Plimpton

Debevoise & Plimpton

Debevoise & Plimpton LLP is a premier law firm with market-leading practices in areas including Data Strategy & Security.

RSK Cyber Security

RSK Cyber Security

RSK Cyber Security are a leading cyber security services company that uses services, consulting, and product knowledge to lower security risk across the board.

Hakai Security

Hakai Security

Hakai is a consulting firm specializing in information security that offers customized services and products to meet the needs and goals of each business.

CyberRey

CyberRey

CyberRey is a leading distributor of comprehensive cybersecurity solutions, empowering organizations of all sizes to thrive in the digital age.