By: Sarah White
Cybersecurity is an increasing concern in the enterprise as the number of high-profile breaches reported only grow each year. In 2015, there were a reported 781 data breaches in the U.S., making it the second highest year for security threats, according to data from the ISACA. And 40 percent of those data breaches happened in the business sector.
So it’s no surprise that Business Insider Intelligence reports an estimated $655 billion will be invested in cybersecurity initiatives between 2015 and 2020. However, in 2015, worldwide cybersecurity spending reached only $75.4 billion, according to Gartner, jumping to an estimated $2.77 trillion in 2016. Those numbers suggest that businesses are only just catching on to the importance of cybersecurity in the workplace, but are they too late?
“It’s a constantly evolving complexity, so I think it’s hard and even dangerous to think of it in terms of ‘I need to start now,’ because we’re at this watershed moment. Frankly, if you’re starting now, you’re already way behind,” says Ben DesJardins, director of security solutions at Radware.
Unlike technologies such as switched telephone networks (PSTN), where it “just made sense to wait and jump straight to wireless,” DesJardins says you can’t sit around waiting for the next best solution in cybersecurity to pop up because, “strong security builds upon solid foundations, core policies and processes for data availability, integrity and confidentiality.”
The cost of security
IBM estimates that the average cost of a security breach in 2016 is $4 million – up from $3.8 million in 2015. With massive revenue losses at stake, you might think that businesses are scrambling to invest as much as possible to protect corporate data. However, implementing the technology necessary to protect your business can often be just as expensive as a data breach, especially if you want to do it the right way.
But there’s a catch if you decide to wait a longer to establish your corporate security plan, says Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA’s board of directors and group director of Information Security for INTRALOT. The longer businesses wait to tackle cybersecurity initiatives, the more it will eventually cost them to implement in the future.
“The later cybersecurity is implemented, the higher the cost, especially in technology-intensive industries. Security by design is more cost-effective than security that is patched around systems, especially as far as healthcare data are concerned. Even if one puts aside the liabilities from a breach, the reputational impact to an organization can be enormous,” he says.
Not every business can create an unlimited security budget, like Bank of America did, but businesses are letting a lack of visible ROI and cost get in the way of protecting company assets. Board members must aggressively weigh the pros and cons of any initiatives the company decides to take on, and oftentimes that leaves IT settling for a solution that wasn’t the first choice but is more affordable, says Erica St-Pierre, Managing Director of the Information Technology division at The Execu|Search Group.
“In many instances, CIOs or other executives know exactly what product or solution would be the best fit for their company, but they cannot afford it. Companies have to make tough budgeting choices about existing programs and the overall allocation of funds in order to give cybersecurity initiatives the attention they know they deserve,” she says.
A shifting focus
Cybersecurity is growing increasingly complex. At one time, it was mostly about protecting data. And security threats were, more than anything, a publicity nightmare, says DesJardins. But the scope of cybersecurity has since grown from a focus on data “confidentiality and integrity” to include newer threats regarding “availability,” in the form of DDoS attacks and website downtime. He says that, a result, CIOs and CISOs are often forced to make concessions, facing the reality that no matter the size of the security budget, they can never fully guarantee complete security.
Not only are threats more complex, they’re also more dynamic, says DesJardins. It’s difficult for businesses to stay up to date on every cybersecurity threat, so IT will often turn to third-party resources to help manage the massive undertaking of cybersecurity, which helps alleviate the burden on IT, but also means some security measures are out of their hands.
“The dynamic and changing nature of the threat landscape is evident. But, at the same time, those changes are ongoing, so too are changes to the way companies build and deploy applications. More and more IT assets — and associated vulnerabilities — are outside of the IT and security team’s direct control. This makes the implementation and management of effective security processes and operations very difficult,” he says.
For IT, cybersecurity can seem like an uphill battle of trying to land the appropriate budgets, balance cost with quality products and creating a scalable approach that will remain flexible with evolving technology. Dimitriadis instructs IT leaders in this position to present cybersecurity initiatives to wary executives as a necessity for competing in the industry, a way to build trust with customers and to link security with imperative business measures in the organization.
“With the appropriate cybersecurity framework in place, which takes response and recovery as seriously as prevention and detection, enterprises have the opportunity to be well-protected. It is indeed now or never, as cyber-incidents are capable of causing an enterprise to collapse,” he says.