Jan 22 2019

The cost of Cybersecurity – what the C-Suite needs to know

High-profile breaches, such as those that impacted Equifax, Target and others, get the attention of company leaders and often trigger actions towards cybersecurity in ways they previously had not. How and where to spend wisely on cybersecurity for better risk management is a question that we get often. We never want you to spend simply out of fear, but rather through well-informed decisions.

In this blog, we provide insight to help you make those well-informed decisions in a way that will justify smart funding to protect your company in this ever-changing threat landscape.

How will I understand my risks?

A good start is to conduct a holistic and thorough information security risk assessment with the help of an independent third-party. The reason for using a third-party? Unbiased feedback and real-time expertise.

You want to select a cybersecurity security firm that is experienced in your industry and understands the legal, regulatory, and compliance obligations you face. You are looking for an objective assessment of your organization married with corrective measures that will address existing gaps and mitigate your cyber risk now and for the foreseeable future.

But I thought IT took care of cybersecurity?

Cybersecurity often still is the responsibility of IT. That was sensible years ago, but not anymore. IT typically does not have dedicated security resources or the capital to support these efforts. IT leaders have to constantly fight to prioritize spending for cybersecurity with their leadership. However, it would be much easier for them to advocate for the funds when they have dedicated experts on their team.

Today, cybersecurity is a distinct and critical function that requires a designated leader – a Chief Information Security Officer (“CISO”) – with a team that compliments and enhances IT and is funded independently. IT and cybersecurity depend upon and rely on each other even though they have different duties. IT is responsible for enabling the business to accomplish its goals through technology, while cybersecurity is responsible for maintaining the confidentiality, integrity, and availability of the company’s information (this is also known as the “CIA triad”). The CISO is an equal partner with the CIO and both should answer to the CFO or COO. This teaming concept is well described in CSO Online’s article “IT is NOT Cybersecurity.”

Do I build my own team or outsource?

Recruiting the ‘right’ people for your staff is a challenge and can be costly in both time and money across all industries. Cybersecurity experts are among the most sought-after professionals in the tech sector and demand salaries that are three times the national average according to the Bureau of Labor Statistics [1]. This makes it difficult and expensive to build an in-house team with the expertise you need when you need it.

Outsourced cybersecurity firms provide the expertise for risk and compliance needs, along with the Managed Security Services like security monitoring, vulnerability assessments, employee training, and policy writing [2] (MSSPs). Engaging a MSSP allows you to meet your needs with more extensive and current expertise for a fraction of the cost of building an in-house team.

How do I justify the spend?

Understandably, this is almost always a pain point. Here are a few angles to advocate for investing in cybersecurity for your business.

An ounce of prevention is worth a pound of cure. For argument’s sake, would you rather pay $100,000 annually to proactively protect your business, or $1 million or more to cover losses from a cybersecurity breach? That $1 million may not even include remediation, payouts to the insurance company, loss of customer trust and company reputation, which will undoubtedly result in long-term harm to the company. Proactive security will almost always cost less than a cyber breach.

Cybersecurity doesn’t have to be expensive. There are basic fundamental steps an organization can take to improve their security posture without breaking the bank. Company-wide cyber awareness training is a great example. The most valuable asset a company has – its people – is also its most vulnerable asset. Training is one of the most inexpensive and effective ways to immediately improve your security resiliency. In addition, security monitoring for your network has greatly decreased in cost over the last few years and is now an attainable operational expense.

It’s one of the costs of doing business. There are certain expenses a business must incur to function properly – payroll, employee benefits, and leasing office space come to mind. In today’s environment, businesses need to consider the cost of protecting itself from cyber threats such as hacking, phishing, and malware.

Regulatory and contractual compliance. Every industry now has requirements that obligate a company to have certain security controls in place in order to do business as usual with their customers, clients, vendors, etc. Your information security risk assessment will determine where you fit in your security compliance ecosystem.

Competitive advantage. Marketing your information security program puts your organization above your competition and provides a significant advantage. Use it as a value-added benefit to make your products and services offerings more attractive.

It’s easy to talk about investing precious capital into cybersecurity and risk management, but much harder to actually spend it – and wisely. Companies typically want to ensure that the money they are investing will be money well spent. Sometimes, executives have a challenge seeing the value in any investment. Be assured that for cybersecurity and risk management, it could save your company and perhaps your job too.

[1] https://www.cio.com/article/2383451/careers-staffing/cybersecurity-pros-in-high-demand–highly-paid-and-highly-selective.html

[2] http://www.layer8security.com/white-papers/

Featured photo from Pictures of Money