According to the 2021 Hiscox Cyber Readiness Report, today’s cybersecurity spend is reaching over 20% of the average business total IT spent, compared to 12.9% in 2020 and 9.9% in 2019, so evaluating cybersecurity cost/benefits is becoming increasingly pertinent.
Yet, despite its rising cost to business, cybersecurity lacks quantified efficacy metrics. As standard solutions cannot provide the data needed to run a quantified cybersecurity cost/benefit analysis, CISOs or CSOs also lack access to up-to-date and quantified data, so their estimate of the efficacy of their solution stack is based on a combination of the latest penetration testing or red teaming exercise, educated guesses about each of their solution stack element and hope that they optimized their use, avoided overlap, and covered the entire environment.
As a result, security spend allocation is typically based on the CISO or CSO’s ability to convince the board rather than on hard data.
The Cybersecurity Cost/Benefit Analysis Conundrum
To understand why accurately quantifying cybersecurity cost/benefit is akin to mission impossible, it helps to examine the underlying difficulties that hobble the process.
Cybersecurity Conjectural Cost/Benefit Evaluation
By its very nature, cybersecurity is a cost, the purpose of which is to avoid the potentially prohibitive costs of a breach. Yet, precisely calculating cybersecurity cost/benefits would imply knowing not only its exact cost – which is easily measurable – but also the exact degree of efficacy it achieved. Unfortunately, it is impossible to precisely quantify the costs of an event that did not happen. That is akin to proving a negative.
Under these circumstances, the closest one can get to evaluating cybersecurity cost/benefits is to estimate the savings achieved through hardening their security posture vs. the estimated cost of a breach, based on figures provided by think tanks such as Ponemon Institute’s yearly report, figures that might be over – or underestimated when it comes to a specific organization or business.
Evaluating Security Tools’ Worthiness
Without clear efficacy metrics, evaluating the value of cybersecurity investment can never be more than a guessing game.
The definition and creation of cybersecurity metrics is an arcane issue still being developed by MITRE, but even with their developing set of resiliency metrics, scoring the efficacy of individual cybersecurity solutions in general, and, in an organization’s context, it is fraught with difficulty.
Hiring an external penetration testing service typically evaluates the solution stack’s overall efficiency. However, that method cannot identify which tool stopped what attack, hampering the granularity and precision of assessing the efficacy and value of each tool, and only provides a snapshot figure at a specific point in time that is de facto out-of-date within a short time as new offensive techniques and tools explore new potential tactics and techniques. Continuous deployment agile methodology introduces new vulnerabilities.
Eliminating the Solution Stack Costly Inefficiencies
Without an efficient way to measure each tool’s efficacy and scope, the imperative to ensure that the security coverage is comprehensive naturally leads to extensive tooling. Yet, excessive tooling risks creating a tool sprawl and reducing both operational flexibility and defense effectiveness while generating unnecessary expenses.
A Trend Micro 2021 research indicates that organizations with more than 10,000 employees have an average of 46 monitoring tools in place. More than half are not even using those tools because of a lack of integration (42%), lack of skilled professionals (39%), difficulty understanding how to operationalize them (38%), outdatedness (37%), and lack of trust in them (20%).
This colossal waste of resources can only be corrected with continuous visibility of each tool’s efficacy in real-life scenarios across the kill chain.
Aligning with Business Priorities
As seen above, throwing more money into the security solution stack is not necessarily effective. Lack of visibility into the actual security posture of each business unit might result in a misalignment between the cybersecurity spend allocation per business unit – based on their relative business criticality – and their relative level of security effectiveness.
In short, allocating the cybersecurity budget efficiently to optimize resiliency in line with risk factors is virtually impossible without clear visibility providing quantified actionable data.
Required Steps to Recalibrate Cybersecurity Spend
In these days of economic downturn, maximizing tools’ effectiveness and reducing or eliminating overlapping capabilities can be achieved without compromising overall security posture health. In some cases, rationalizing the cybersecurity solutions stack in terms of efficiency can even lead to cost-cutting, but that requires a clear, documented identification of which tools are essential, which are nice to have, and which are redundant. The four steps below map out the cost-cutting strategy to apply.
1. Establishing Cybersecurity KPIs Based on Verified Metrics
Cybersecurity professionals are typically unfamiliar with the KPI acronym, as KPIs are based on quantified data, and cybersecurity resilience could not, until recently, be expressed as a numerical value based on data.
As a result, their solution stacking requirements are typically based on best guesses, with non-measurable cost/benefits, which complicates communication with the board, might lead to unnecessary purchases, and complicates tool efficacy optimization.
The emergence of Extended Security Posture Management solutions delivers security posture risk scoring based on verifiable, itemized data.
These scores are crucial to quantifying variability from baselines and evaluating progress made.
Over time, this new granular measurability returns a quantified evaluation of the tools’ dollar-to-value ratio and the progress of security optimization.
2. Rationalizing Cybersecurity Spend Allocation
With access to a quantified risk evaluation for predefined segments, such as business units or infrastructure sections, it becomes possible to align the cybersecurity budget allocation to defined goals.
· Per business unit
Without granular visibility in the actual risk faced by each business unit, the security spend allocation is based on estimations ranging from the relative size of each department in terms of the number of endpoints to finger-in-the-wind calculation of where hackers are most likely to strike.
With the availability of tools that measure the actual security effectiveness for each business unit, it becomes possible to redistribute the cybersecurity budget in line with the business criticality rating.
· Per infrastructure section
Within each business unit, cybersecurity needs vary. For example, in a department such as Sales and Marketing, which depends heavily on incoming emails from unknown sources, email security controls imperatively have to prevent ransomware, worms, trojans, and other email-borne attacks containing malicious attachments and links. This requires tightening email gateway validation by blocking or removing malicious links and attachments through technologies such as Email Gateway, Content Disarm and Reconstruction (CDR), Sandboxing and others.
3. Continuously Reallocating Resources Based on Data
Once security spend is optimized, it needs to remain optimized, which requires continuous reevaluation to prevent security drift.
The ongoing emergence of new threats leveraging an ever-wider array of technologies is at the base of the cybersecurity motto, “Threat informs defense.” In other words, the cybersecurity infrastructure needs to be agile, continuously evaluating the efficacy of its solution stack in real-time and reallocating resources to match the threat landscape.
4. Prioritizing Mitigation Based on Data
The vast majority of security bugs have limited to no effect on cyber resilience as a whole. Yet, without a means to effectively evaluate each vulnerability’s actual exploitability, valuable resources are hemorrhaging into patching vulnerabilities that pose limited to no risk.
Implementing Attack-Based Vulnerability Management (ABVM), a technique that assesses vulnerabilities’ risk score by launching production-safe attacks against your environment, enables prioritizing patching based on actual risks and allocating resources where they are needed.
In addition to cybersecurity posture optimization, the Cymulate Exposure Management and Security Validation platform provides security scores that precisely evaluate the efficacy of each element of a security array, based on hard data collected during the continuous assessments.
Establishing this baseline provides 360° visibility that enables educated budget-related decision-making by removing the guessing element.