Making the Case for Proactive Cyber Security Investments
Proactive, or preventative, cyber security measures continue to be an afterthought in today’s conversations around breach preparedness. In this Forbes article for example, the author suggests establishing an incident response plan, defining recovery objectives and more, all of which are necessary – but there’s no mention of investing in tools and services that boost your security posture in the first place.
Sure, it can be difficult to make a business case for the C-Suite to invest in something intangible that doesn’t directly result in new revenue streams. Historically though, we’ve seen breaches cost companies millions and sometimes billions of dollars, proving that a ‘dollars and sense’ case can be made. And even when a case has been made to the board and funding is available, security teams struggle to be proactive because they are constantly reacting to the threats already looming in their network, they are lacking adequate staffing, and the pace of vulnerabilities continues to outpace the business. So, how can organizations come together, C-suite and security teams alike, to prioritize the urgency of implementing a proactive cyber security program? How can we communicate that the upfront planning and set up is a proactive investment that will help eliminate the financial and time strain of a reactive-forward program?
The reality is that cyber security breaches today are inevitable and put organizations at grave risk. To help security teams make the case for prevention-based security investments here are three recommendations that will get the attention of C-Suite executives and help security teams remain proactive:
Translate the Impact of a Breach into Dollars and Sense that the C-Suite will Understand
In today’s digital world, data is more valuable than ever, and, at the same time, more vulnerable than ever. So, how can you best communicate this heightened value of data security to your leadership team? By speaking a language they understand. First, shift your mindset from talking about “cyber security and compliance” to “customer safety and quality services;” these terms will resonate better with the C-Suite.
Next, be prepared to talk financial risk. Annually, IBM and Ponemon Institute release the Cost of a Data Breach Report, which includes a calculator based on industry and cost factors, such as board-level involvement, compliance failures, insurance, to determine the potential financial impact a breach could cause. Use this resource to calculate your own organization’s estimated cost of a data breach. A simple calculation case study: in the United States, if an attacker compromised just 5,000 records, it would cost your organization over $1 million (based on the average cost of $242 per lost record). This case demonstrates the cost of a smaller-scale breach – in fact, the average size of a typical data breach in the United States in 2019 was 25,575 records, resulting in an average cost of $8.2 million per breach. Compare that to the average cost of a vulnerability management or penetration testing program, and your case to the executive team is pretty simple. Notably, loss of customer trust and loss of business were the largest of the major cost categories, according to the report. The study found that breaches caused a customer turnover of 3.9 percent – and heaps of reputational damage.
Lastly, use examples in your respective industry as proof points. For example, if you’re in the financial services industry, reference other breaches in the sector and their associated cost. It’s important to clearly communicate the reality of what happens when your organization is breached to get the C-Suite on board for additional cyber security spend. Sharing concerning results of reactive cyber security strategies will help them to see the benefit of investing in proactive security measures to prevent a breach from happening in the first place.
Help Leaders Understand Vulnerability Testing’s Role in a Crisis Preparedness Plan
A data breach is a common crisis scenario for which every business should plan. It should be discussed in tandem with other risk scenarios like natural disasters, product recalls, employee misconduct, and conflict with interest groups, to name a few. As with any disaster preparedness program, documentation and reporting are critical. Specifically, documentation of your vulnerability testing results and remediation efforts should be viewed as a tool to inform leaders about the organization’s exposure to risk, as well as its ability to prevent breach attempts from being successful. Cyber security weaknesses to look for from an organizational standpoint include, lack of continuous vulnerability testing and patching, untested incident response plans, and limited training and security awareness programs. These three key areas can turn into the “Achilles heel” of any organization’s security posture if not addressed and implemented properly.
Position Your Pentest Team as an Extension of Your Own Security/IT Team
According to a survey we conducted earlier this year, over 80 percent of security leaders say lack of resources keeps them up at night. And for some time now, the security industry has suffered a skills shortage. While companies are eager to hire experts to address the ever-evolving threat landscape and avoid the high costs of a breach, there aren’t enough people who can fill these roles. According to the latest data from non-profit (ISC)², the shortage of skilled security professionals in the U.S. is nearly 500,000.
Hiring outside resources is one solution to this demand conundrum. Time is invaluable, so if you’re proposing to hire new vendors, it’s important from the start to position the white hat testers to your executives as an extension of your own team. It is the responsibility of both corporate security practitioners and vendors to find ways to work collaboratively as one team. Pentesting is a great example of this. Traditionally, pentesters complete their engagement, hand off a PDF and send the internal team off to remediate. With the emergence of Penetration Testing as a Service (PTaaS), testers not only perform an engagement, but also conduct more deep-dive manual tests, continuously scan for vulnerabilities to deliver ongoing results in an interactive, digital platform that separates critical vulnerabilities from false positives (a time-consuming activity for your in-house team) and serve as remediation consultants for your organization. Make it clear to the C-Suite that vendor relationships are changing and vendors can serve as a solution for current cyber security skills gaps within the business.
When the C-Suite and its IT and security departments are disconnected on security priorities, the risk of a data breach increases. Learn to speak the language of your executive leaders and communicate the true value of proactive security measures. Effective communication around the potential financial impact of a breach, where vulnerability testing fits in a crisis preparedness plan, and ways to solve cyber security talent shortages, ought to result in additional budget for key security initiatives.