Last updated at Fri, 13 Oct 2023 19:33:17 GMT
The digital economy is being disrupted by data. An estimated 79 zettabytes of data was created and consumed in 2021— a staggering amount that is reshaping how we do business. But as the volume and value of data increases, so does the motivation for hackers to steal it. As such, cybersecurity is a growing concern for organisations across all industries, and budget requests are increasing as a result.
But if we’re spending more, why are organisations still getting hacked at an increasing rate?
In the first webinar of Cybersecurity Series: Hackers ‘re Gonna Hack, our Chief Technology Officers Jason Hart (EMEA) and Ken Mizota (APAC) shared their experiences on why executives need to reconsider their current operating model and ensure their cybersecurity budgets are working as hard as possible.
84% of our EMEA webinar audience and 67% from APAC agreed that doubling their cybersecurity budget would not halve the risk or impact for their business.
Cybersecurity departments are finding it extremely challenging to justify increases to their budget when they are not seen as directly contributing to revenue. There was also a time when cyber insurance was regarded as a safeguard and magic wand to protect us from risks. But now, these providers are placing more onus on organisations to ensure preventative measures are in place, including risk assessment, controls, and cybersecurity operations.
In an ever-evolving landscape, it is essential to take a step back and consider how you can improve your approach. The key question remains, “How do you do more with less?” You can’t protect everything – you need to understand what matters most and be able to manage, mitigate, and transfer risks by working with a range of stakeholders throughout your organisation. Here are four strategies that can help.
1. Embrace the evolution of profit and loss for cybersecurity
A profit-and-loss framework for cybersecurity enables organisations to identify their current level of risk, prioritise their efforts based on those risks, and then set benchmarks for improvements over time. The goal is to create an environment where you can proactively manage your cybersecurity risks rather than reactively mitigate them after they've occurred.
61% of our EMEA audience and 89% from APAC agreed they need to approach cybersecurity from a profit-and-loss perspective.
2. Become situation-aware
Awareness is the ability to look at all the information available, recognise what's important, and act accordingly. It's a skill that can be learned, practised, and improved over time.
You can't fix what you don't know, so it's essential to have a clear understanding of the risks in your organisation and those that might arise in the future. We believe there are three levels of awareness:
- Situation awareness: When an organisation understands the critical (people, data and process) and operational elements for executing information security strategy.
- Situation ignorance: When organisations assume everything is OK without considering the impact of people, data, and processes. They may be implementing security control and awareness training, but there is no straightforward process. The strategy does not align to risk reduction and mitigation, and budgets continue to increase.
- Situation arrogance: Organisations that continue to spend huge amounts of budget, while still getting compromised and breached. They might consider people, data, and process, but they fail to act.
57% of our EMEA and APAC audience believed they were situation-aware. 31% percent from EMEA and 43% from APAC said they were situation-ignorant, while 11% from EMEA felt their organisations were situation-arrogant.
Try to identify your organisation's cyber maturity to make improvements. To test impact and likelihood, ask your peers – in the event of a breach, what data would you be most concerned about if hackers applied ransomware to it? To test risk versus control effectiveness, consider where that data is located. When understanding impact and level of risk, find out what business functions would be affected.
3. Adapt or become irrelevant
Cybersecurity operations should be tailored to your organisation's unique needs; there’s no one-size-fits-all approach. The move away from traditional operation models to a more targeted one requires a strong foundation for transformation and change. This includes:
- Culture
- Process
- Measurement
- Resources
- Accountability
- Automation
Only 27% of our EMEA audience and 30% from APAC believed they have the foundations for a targeted operations model to carry over to cybersecurity.
4. Implement protection-level agreements
To eradicate and remove a critical vulnerability, you might need to reboot, consider patch management, or bring systems down. This can be hard to assign a value, but it will inevitably increase your budget.
For example, to reduce a critical vulnerability, the average annual cost for the business is £1 million per year. But what if we set up a protection-level agreement (PLA) so that any critical vulnerabilities are eradicated and managed within 30 days? That would reduce operational costs to approximately £250,000 per year.
But what if you are hacked on day 25? That isn’t not a control failure – it results from a business decision that has been agreed upon. PLAs enable you to track and monitor threat activity so the business and leadership team can understand why you were breached. The approach also highlights gaps in your foundation, enabling you to address them before they become serious problems. For example, it might highlight potential challenges in handoff, process, or accountability. Additionally, a PLA is a language your stakeholders understand.
Everyone is on the same journey
Each stakeholder in your organisation is at a different stage of their journey. They have different expectations about how cybersecurity will impact them or their department. They also have different levels of technical knowledge. When planning communications, consider these differences to get them on board with your vision, working with them to ensure everyone’s expectations can be met.
Watch Jason (EMEA) or Ken (APAC) give Part 1 of our "Cybersecurity Series: Hackers 're Gonna Hack" to learn more, and read our posts on Part 2 and Part 3 of the series.
Additional reading:
- Defending Against Tomorrow's Threats: Insights From RSAC 2022
- Identifying Cloud Waste to Contain Unnecessary Costs
- Cybersecurity Is More Than a Checklist: Joel Yonts on Tech’s Unfair Disadvantage
- 3 Takeaways From the 2022 Verizon Data Breach Investigations Report