How To Spend Smarter On Cybersecurity For Better Security RoI
Spending smarter on security for better RoI
*This is a sponsored feature by Accenture.
Are your cybersecurity spends delivering optimal RoI? Here’s the lay of the land when it comes to the threat landscape today and here’s how a right-spending strategy with outcome-based analysis can help your organisation optimise investments rather than simply spray-and-pray.
The Matrix movie trilogy does a great job of metaphorically depicting the world of cybersecurity using the phenomenon of equilibrium―a parallel evolution of good and evil. From powers that initially work only within the matrix, by the third part, the protagonist Neo can use his powers outside the matrix. Similarly, the antagonist Smith, whose powers are also confined to the matrix initially, is able to infect people outside the matrix to the extent that he can infect an entire city.
In cybersecurity too, while there has been an evolution of technology, processes and law enforcement readiness on one hand, there also has been a corresponding evolution in cyber criminals who are often a step ahead. Besides coming up with innovative vectors of attack (such as WannaCry and Petya), cyber criminals have been employing sophisticated business models (criminal marketplaces, ransomware-as-a-service, DDoS for hire, etc.) to generate revenues, keep attack costs low, and improve the effectiveness of attacks.
A wiser spending approach needed
How do Indian organisations respond to these threats? Simply throwing more money at the problem may not be a prudent strategy. According to data published by Statista.com, IT security spending in India is estimated to grow to $1.7 billion in 2018, up from $1.02 billion in 2014. According to Gartner, worldwide security spend is expected to touch $96 billion in 2018―up by 8 percent from $89 billion spent in 2017.
With cyber crime becoming an organised global menace, its growth may be irreversible, at least in the medium-term. According to the 2017 Cost of Cyber Crime study by Accenture and Ponemon Institute, while the cost of cybersecurity increases by about 22 percent percent annually―indicating the rise in cybersecurity spends by organisations―the net increase in average annual number of security breaches has been 27.4 percent, indicating again that cyber criminals are a step ahead.
Whatever vulnerabilities organisations try to plug with larger investments in security solutions, cyber criminals will identify and exploit new ones, thus throwing up fresh security challenges. A new, right-spending approach is the need of the hour for organisations to optimally utilise available resources without compromising on precautionary spends.
Spending trends: Down to the brass tacks
Accenture-Ponemon’s 2017 Cost Of Cyber Crime Study analysed spend on various security technologies by 254 companies from across the world. Some interesting insights:
l Financial services companies incurred the highest average cybercrime cost of $18.28 million, followed by utilities and energy ($17.20 million), aerospace and defence ($14.46 million), and technology and software ($13.17 million).
l The study observed the relationship between the cost of cyber crime and maturity stage of an organisation’s cybersecurity program to be non-linear. Organisations in the middle stage experienced the highest total cost at US$13.87 million. (See chart: Total cost by program maturity stage)
l Typically, resolution of malicious code attacks took longer (55.2 days) and as a result, was costlier. From this perspective, other costly threats included malicious insiders (50 days), ransomware (23.1 days), and Web-based attacks (22.4 days).
l Since a higher frequency of attacks resulted in cost of damage from cyber crime shooting up, the most expensive attacks were malicious insiders ($173,516), DoS ($129,450), and malicious code ($112,419). Two other expensive threats were phishing and social engineering ($105,900) and ransomware ($88,496).
l The picture, however, was different for small companies. For them, the costs related to malware, Web-based attacks, stolen devices, and phishing and social engineering attacks were higher.
Cost optimisation: A few hints
So, there is definitely a need to prioritise cybersecurity spending to achieve optimal utilisation of resources without compromising on security. To help companies prioritise their security investments suitably, here are nine enabling security technology categories presenting outcome-based observations for each. (See chart: Cost savings when deploying enabling technologies). For instance, companies investing in security intelligence systems could save $2.8 million on average.
At the same time, organisations implementing advanced identity and access governance tools witnessed average cost savings worth $2.4 million. Although not widely used by organisations, even technologies such as automation and machine learning delivered $2.4 million in average cost savings. Clearly, while not being driven by FUD-factor―which in most cases is fed and nourished by the security vendor community and media hype―a smarter move for CISOs and CIOs would be to prioritise their security investments after a realistic cost-benefit analysis with the help of a reputed partner with deep expertise in cybersecurity.
To Know More About Accenture