Healthy skepticism is necessary for cybersecurity leaders to anticipate current and future threats.
That’s the advice to cybersecurity leaders from Doug Hubbard, president of Hubbard Decision Research. Hubbard recently spoke with Christian Sorenson, founder and CEO of SightGain. They discussed the impact of decisions and the need to gather and assess data carefully.
Do Cybersecurity Investments Deliver Results?
Hubbard noted that the return on investments in cybersecurity may take a while to present themselves.
“If we decide to put $1 million here or $10 million there to reduce risk by X amount, how long do I have to wait and observe that system before I get feedback on whether or not it’s working?” Hubbard said.
The challenge, Hubbard noted, is the uncertainty as to whether an investment will deliver the desired result. In the world of cybersecurity, with ever-evolving threats, making those commitments means taking risks. The return could take years to materialize.
“If a particular event was, say, a 1-in-10-year event (and) I make a big investment and decide that I’m going to reduce that risk by half. How many years do I have to watch my own environment to be even, say, 80 percent sure that that mitigation is working?”
Challenges to Measuring Return on Investment in Cybersecurity
Measuring return on cybersecurity investment is often an elusive task when it comes to cybersecurity. A good day in cybersecurity is when nothing happens, and systems and networks remain up and running at full capacity. There are no threats that materialize or those that do are mitigated without causing any damage.
So, understanding the impact of cybersecurity investments often comes down to choosing which of the myriad variables available to measure. The key is to show board members and senior leaders that investments in cybersecurity can lead to improved protections and compliance while reducing risk.
Start with the areas that can be quantified. The costs of failures in specific areas, for example, can and should be measured. For example, the loss of revenue from a website that’s been subject to a DDoS attack can be calculated based on average hourly or daily sales.
Similarly, the loss of authenticating credentials can be forecasted (and used to justify spending on enhanced authentication technologies).
Cybersecurity leaders can quantify what they can and position it as a minimum impact from cyberattacks. However, some boards and c-suites will want to know more.
Probability statistics can play a role here, too. By presenting likelihood statistics, both with and without cybersecurity investments can help round out the case. So, too, can industry statistics on types of attacks and the resultant economic impact.
There’s an art and science to these calculations. Calculating reputational loss may be more difficult to quantify. But projecting what reputational loss would mean in terms of customer retention and new customers certainly can be calculated.
Key Advice for Cybersecurity Leaders
Cybersecurity is ever-shifting and more critical than ever. As the threats evolve, so, too, will the importance of investments, strategies, and solutions that keep technologies, data, and users protected. Here are some other emerging trends in cyber security that technology leaders should heed:
- Extortion Tactics Will Evolve. Threats from ransomware continue to persist and will likely change. Extortion approaches such as “hack and leak”—compromising systems and leaking data are on the rise. So are data destruction methods, which can be catastrophic for organizations
- AI Security Needs. Artificial intelligence is growing rapidly, with applications across industries. With more organizations investing in AI tools, there’s a growing need to protect those technologies, ensuring they are not compromised or tricked into certain actions
- AI and ML to Manage Risk. Just as the need to keep AI secure increases, the technology will also increasingly be used to manage risk. So, too, will machine learning technologies. AI and ML can monitor, predict and mitigate both internal and external risks, freeing up IT teams at the same time the volume of data needing protection continues to skyrocket
- Importance of Visibility. With more systems at play and being protected, it’s important for cybersecurity teams to have visibility into those systems and solutions. Pervasive visibility allows you to detect issues early and manage responses at a global level
- Endpoint Security Issues. The prevalent use of mobile devices and hybrid or remote work arrangements means a continued need for security. Worker mobility will also likely diversify, giving rise to the need for multimodal solutions
- Budget Accordingly. There continues to be an ever-evolving, complex and growing list of cybersecurity challenges. In addition, there are increasing numbers of compliance mandates required by multiple jurisdictions. The costs of cybersecurity are considerable and must be budgeted appropriately
Hubbard’s Feedback Advice
Relying on external data is one important way to obtain feedback, Hubbard said.
“There’s an amazing solution for this. It’s almost 30 years you have to wait before you can be 80 percent sure that the mitigation you just invested in, the risk reduction you just invested in, is actually working,” Hubbard said. “I know I’m not going to learn from feedback, not feedback in a regular way.”
Instead, Hubbard suggested looking to new approaches.
“I’m going to have to either create feedback or I’m going to have to be a lot more systematic about gathering data externally, including data from other organizations where this is happening and data about the relative performance of judgment methods themselves,” Hubbard said.
Fortunately, there are large amounts of data available. In some cases, the available information surpasses that from data collected in the largest pharmaceutical trials.
Combining external data with what is known can be a powerful way to asses and provide the healthy skepticism cybersecurity leaders need.
“We do have a lot to build on, and people are routinely surprised by how much a little bit of data, a few observations, moves the needle a little bit,” Hubbard said. “It makes a big difference.”
