web analytics

Companies Should Implement ROI-Driven Cybersecurity Budgets, Expert Says – Source: www.techrepublic.com

companies-should-implement-roi-driven-cybersecurity-budgets,-expert-says-–-source:-wwwtechrepublic.com
Rate this post

Source: www.techrepublic.com – Author: Ray Fernandez

Money and the words Cyber Security.
Image: Dzmitry/Adobe Stock

Cybersecurity budgets are up after enduring budget cuts and economic uncertainties, Forrester’s recent report reveals. Still, companies are struggling to combat cybersecurity threats and keep their companies safe.

Scale’s Cybersecurity Perspectives 2023 report reveals that most businesses (71%) are experiencing three or more security incidents, a 51% increase compared to 2022. Security teams struggle with talent gaps, are overwhelmed by alerts, and can’t find the right tools, despite security budgets increasing by 20% on average in large enterprises and 5% in mid-sized enterprises.

The problem seems to be insufficient funding, but for Ira Winkler, chief information security officer at CYE Security, it boils down to how cybersecurity budgets are determined and assigned. CYE is a SaaS platform and offers expert consulting for security leaders to maximize cybersecurity strategies and investments.

On July 20, I attended the Northeast Virtual Cybersecurity Summit to gain insights into new methods that can be used to successfully change the way cybersecurity budgets are allocated.

Jump to:

Shifting outdated mindsets to business-driven models

At the summit, Winkler explained that the cybersecurity industry has shifted from protecting software and hardware under an information resources management approach to protecting the information that moves through systems with the emergence of chief information security officers. However, companies still allocate cybersecurity budgets with an outdated mindset.

Cybersecurity economics, cybersecurity valuations and risk-approach models are emerging fields that can quantify risks, countermeasures and return on investment to maximize system security and minimize losses. However, they are poorly understood and not applied.

  • Cybersecurity economics is the study of the economic costs and benefits of cybersecurity. It aims to understand how organizations can make optimal investment decisions in cybersecurity given the risks they face.
  • Cybersecurity valuations are the methods used to estimate the value of cybersecurity assets, which might include data, systems and networks.
  • Risk-approach models are used to evaluate a threat’s risks and their consequences. Different factors are considered in risk modeling, including the likelihood of a cyberattack, the potential impact of a cyberattack and the cost of mitigating the risks.

“What does a ransomware incident cost?” Winkler asked attendees. “Most people don’t really know. And more importantly, in cybersecurity, we don’t know how much a non-incident costs us. We don’t track how well we stop things at all, for the most part. And that’s a fundamental lack of business discipline and business thought processes.”

Winkler explained that this lack of a business approach is unique to cybersecurity departments. Other areas, such as finance and accounting, supply chains and operations and manufacturing, do not allocate budgets arbitrarily. For example, modern factories usually have a full understanding of what a specific downtime costs and what the value is when the factory is up and running.

In a data-driven era, cybersecurity teams must have insight into outages, incidents and any other factor that affects performance and the company’s bottom line. With this information, executives can make data-driven decisions on budgets based on economic impact, risks and losses versus ROI and gains.

Getting buy-in from executives and boards

It’s no secret that one of the biggest challenges CISOs and other security leaders face is getting buy-in from boards and executives. Additionally, security teams face increased pressure from boards as their roles and responsibilities expand.

In the latest ClubCISO Report 2023, 62% of CISOs surveyed listed leadership endorsement as the most critical factor in fostering a better security culture. Despite increased alignment between security teams, executives and boards, 20% of those surveyed still say that the lack of buy-in and support impacts their companies’ security.

“Unfortunately, in cybersecurity, we have people who don’t know how to discuss budgets with management,” Winkler said.

According to Winkler, as long as security leaders do not take more scientific and business approaches to budgeting, they will always receive random allocations and get unwanted results. When pitching executives for buy-in, security leaders must be well informed on acceptable risk levels, how effective their countermeasures are and what the top vulnerabilities cost them.

Winkler said that only budgets that minimize risks and potential losses should be presented to management. When a board or an executive suggests cutting a budget, the security team must know how much that cut will cost the company. This method presents better information to executives, allowing them to make better decisions, and helps get buy-in. It also relieves security leaders of responsibilities as they inform company management about the risks before they happen.

“Knowing how to present cybersecurity programs in business terms is the most effective way to get the budget you need,” Winkler told the audience of security experts.

Privacy breaches; compliance issues; U.S., EU and international laws; insurance costs; fines; and outages driven by natural disasters should also be incorporated into security programs, according to Winkler.

ROI-driven cybersecurity budgets

Cyber-risk quantification is not a new concept, but risk-approach models are still in their infancy. While organizations like Gartner report on its increased adoption and top vendors like Bitsight, SecurityScorecard, Corax, UpGuard and Squalify offer it, implementing it all can be overwhelming.

Winkler assured that risk-approach models should not be overcomplicated. “This is the only diagram I have in my company,” Winkler said (Figure A).

Figure A

Ira Winkler's risk-approach cybersecurity model. Image: Ira Winkler’s presentation at the Northeast Virtual Security Summit.
Ira Winkler’s risk-approach cybersecurity model. Image: Ira Winkler’s presentation at the Northeast Virtual Security Summit.

The red line in the graph represents a company’s vulnerabilities, and everything under the red line represents potential losses. When a company starts risk-modeling without countermeasures, vulnerabilities and potential losses are at their maximum; as countermeasures are implemented and increased, potential losses begin to go down. However, Winkler explained that there is a catch.

When managing risks, most people think a company should add as many countermeasures as possible to reach a minimum value of vulnerabilities and reduce potential losses to zero. However, that is not the case because the cost of implementing the required countermeasures to bring vulnerabilities to a minimum is usually exponentially higher than the cost of vulnerabilities.

A company does not want to see the cost of its countermeasures higher than the cost of its losses and also not equal to them. Achieving the right balance can be challenging.

“What you want to do is figure out what I call the risk optimization point,” Winkler explained. “And that’s where essentially you figure out the potential loss you’re willing to accept and then what countermeasures are theoretically going to get you there.” The concept is much like long-term investments.

The challenge for security teams and executives alike is to accept that no matter what they do, they will always face potential losses and risks. Additionally, a company-wide culture that has been assigning cybersecurity budgets for decades by simply adding a 5% to 20% increase to the budget of the previous year must be changed.

Allocating “an arbitrary budget gives you arbitrary results,” Winkler said. He urged security experts at the event to map threat sources, assets, vulnerabilities and potential losses to understand their exposure. The cybersecurity expert also presented a risk equation to explain how companies can quantify factors, highlighting the disruptive power of AI and machine learning to drive these mathematical calculations (Figure B).

Figure B

Ira Winkler's risk equation. Image: Ira Winkler’s presentation at the Northeast Virtual Security Summit.
Ira Winkler’s risk equation. Image: Ira Winkler’s presentation at the Northeast Virtual Security Summit.

Final thoughts: Setting priorities

Setting priorities and implementing the highest value of countermeasures that generate the highest ROI while analyzing the cost and probability of vulnerabilities may seem like a rigged game of numbers where incidents and losses are bound to happen. However, accepting minimum losses and incidents far outweighs other alternatives.

Traditional methods used to allocate cybersecurity budgets have become outdated, and the consequences associated with these types of approaches are well documented in threat reports that show the yearly rising costs of threats.

More funding and more tools do not necessarily translate into more security. Security resources must be properly allocated, and the costs of each countermeasure solution must be balanced against the cost of attacks.

While other factors need to be considered, such as companies’ ethical responsibilities to protect each customer, partner and system, a data-driven business approach to cybersecurity budgets can undoubtedly change the cybersecurity industry.

Original Post URL: https://www.techrepublic.com/article/how-companies-determine-cybersecurity-budgets/

Category & Tags: EU,International,Security,cybersecurity,cybersecurity budgets,tech budgets – EU,International,Security,cybersecurity,cybersecurity budgets,tech budgets

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

HADESS
DevSecOps Guides – Comprehensive resource for integrating security into the software development by HADESS
DevSecOps Guides – Comprehensive resource...
Splunk
81 Siem Very important Use Cases for your SOC by SPLUNK
81 Siem Very important Use...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
HADESS
Introduction to Doxing- OSINT methods for information gathering by HADESS
Introduction to Doxing- OSINT methods...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...
Forrester - Allie Mellen
Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR – EDR Is Dead, Long Live XDR by Allie Mellen – Forrester
Adapt Or Die: XDR Is...
CYBER LEADERSHIP INTITUTE
CISO PLAYBOOK: FIRST 100 DAYS Setting the CISO up for success
CISO PLAYBOOK: FIRST 100 DAYS...

LASTEST PUBLISHED POSTS

National Security Agency
CSI Cloud Top10 Key Management
CSI Cloud Top10 Key Management
CSA Cloud Security Alliance
Defining the Zero TrustProtect Surface
Defining the Zero TrustProtect Surface
HANIM EKEN
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CNIL
PRACTICE GUIDE GDPR – SECURITY OF PERSONAL DATA Version 2024
PRACTICE GUIDE GDPR – SECURITY...
PWNED LABS
Cloud Security Engineer Roadmap
Cloud Security Engineer Roadmap
tutorialspoint.com
Cloud Computing Tutorial Simply Easy Learning
Cloud Computing Tutorial Simply Easy...
SMITHA SRIHARSHA
CISSP Preparation Notes
CISSP Preparation Notes
CISSP Mind Map: All Domains
CISSP Mind Map: All Domains
Lansweeper
CIS 18 CRITICAL SECURITY CONTROLS CHECKLIST
CIS 18 CRITICAL SECURITY CONTROLS...
Semaphore
CI-CD with Docker and Kubernetes
CI-CD with Docker and Kubernetes
EC-MSP
BUSINESS CONTINUITY PLAN & DISASTER RECOVERY PLAN TEMPLATE
BUSINESS CONTINUITY PLAN & DISASTER...
PWC
Building a risk-resilient organisation
Building a risk-resilient organisation

More Latest Published Posts

40 under 40
40 under 40 in CyberSecurity 2024
40 under 40 in CyberSecurity 2024
HADESS
40 Days in DeepDark Web About Crypto Scam
40 Days in DeepDark Web About Crypto Scam
Everbridge
8 Principles of Supply Chain Risk Management
8 Principles of Supply Chain Risk Management
CHAOSSEARCH
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
ENDGAME
The Hunters Handbook Endgame’s Guide to Adversary Hunting
The Hunters Handbook Endgame’s Guide to Adversary Hunting
THE EU’S MOST THREATENING by EUROPOL
THE EU’S MOST THREATENING by EUROPOL
National Cyber Security Centre
Responding to a cyber incident – a guide for CEOs
Responding to a cyber incident – a guide for CEOs
IGNITE Technologies
CREDENTIAL DUMPING
CREDENTIAL DUMPING
HADESS
Pwning the Domain Lateral Movement
Pwning the Domain Lateral Movement
Jorgen Lanesskog
PING Basic IP Network Troubleshooting
PING Basic IP Network Troubleshooting
TELESOFT
Layer 7 Visibility What are the Benefits?
Layer 7 Visibility What are the Benefits?
TIGERA
Introduction to Kubernetes Networking and Security
Introduction to Kubernetes Networking and Security
Department of Defense's (DoD)
Defense Industrial Base Cybersecurity Strategy 2024
Defense Industrial Base Cybersecurity Strategy 2024
Dummies
Zero Trust Access for Dummies Fortinet
Zero Trust Access for Dummies Fortinet
Homeland Security
Zero Trust Implementation Strategy
Zero Trust Implementation Strategy
National Australia Bank Limited
Your Business and Cyber Security
Your Business and Cyber Security
CYFIRMA
Xeno RAT- A New Remote Access Trojan
Xeno RAT- A New Remote Access Trojan
IGNITE Technologies
Windows Persistence COM Hijacking MITRE T1546 015
Windows Persistence COM Hijacking MITRE T1546 015
IGNITE Technologies
Windows Exploitation Rundll32
Windows Exploitation Rundll32
IGNITE Technologies
Windows Exploitation Msbuild
Windows Exploitation Msbuild
HADESS
Web LLM Attacks
Web LLM Attacks
HADESS
Trended Protocols for Security Stuff
Trended Protocols for Security Stuff
Red Iberoamericana de Protección de Datos
Transferencia Internacional de Datos Personales – Guia de Implementación
Transferencia Internacional de Datos Personales – Guia de Implementación
CYFIRMA
TRACKING RANSOMWARE January 2024
TRACKING RANSOMWARE January 2024
https://www.linkedin.com/in/harunseker/
TOP Cyber Attacks Detected by SIEM Solutions
TOP Cyber Attacks Detected by SIEM Solutions
TRAVARSA
Top 100 Cyber Threats and Solutions 2024
Top 100 Cyber Threats and Solutions 2024
Top 50 Cybersecurity Threats
Top 50 Cybersecurity Threats
OWASP
Top 10 Considerations for Incident Response
Top 10 Considerations for Incident Response