As companies grow and embrace digital transformation, their approach to integrated risk management should broaden with them. The past year alone has shown a dramatic increase of remote work, and the expansion into and reliance on online spaces has only demonstrated how vulnerable some systems are. Consumers and businesses alike are becoming more aware of the dangers of operating in an online space. In the past four years, investment in cybersecurity has skyrocketed. In 2017 the industry was valued at over $120 billion with a forecasted growth of $170.4 billion in 2022.
Investing in proactive integrated risk management solutions can mitigate the chance of vulnerability. However, budgeting for such a resource can be nebulous, especially as threats transform and evolve constantly.
So, how much are Fortune 500 companies typically spending on cybersecurity? Research suggests that spending a percentage of the overall budget may be the best approach. For example, in 2019, the U.S. invested $15 billion in cybersecurity, which accounts for 0.3% of the entire fiscal budget of $4.74 trillion. Financial services take it a step further and often spend between 6% and 14% on resource allocation for cybersecurity and IT.
But there is no clear-cut answer to “how much should I spend on a risk-based approach to cybersecurity?”. Instead, security leaders need to consider the reputational risk if there is no process or budget set up for risk management. What repercussions could the company face if there was a client data breach? Is it possible to put a number on the hit a business could take with loss of client trust? “We’re looking at the cost of data protection vs. the cost of a data breach,” says Mike McEachern, a partner at TechCXO, and a CyberSaint advisor.
The Marriott data breach of 2018 can serve as a point of reference. Marriott’s breach included 338 million compromised customer profiles, including passport and credit card information. Second-quarter profits dropped 65% to $232 million. Overall revenue fell 1.9%. They lost customer trust and confidence and paid for their lax approach in risk management.
It has become apparent that part of the responsibility of managing risk is not only determining what a company could lose but what they can gain by retaining customer confidence. In order to paint a clear picture to Boards and investors, CISO’s and CFO’S can present risks and options in using the CIA option-—assessing the vulnerabilities in a system in regards to Confidentiality, Integrity, and Availability. What’s the company’s risk profile with regard to their client’s information? What systems are susceptible to modification or deletion by unauthorized parties? What threats exist to a framework that could cause failure to even access the system?
Outside of CIA, businesses can gain a competitive advantage when they are proactive in the marketplace and can assure their clients that their sensitive data is in safe hands. “As an organization’s cyber posture matures over-time,” Principal Architect Stephen Torino explains, “One of the things you typically see is CFO’s and CISO’s being more proactive and involved with their companies risk assessment and budget. They also influence the company culture and human risk management.”
C-suite executives can be crucial to a business’s overall success in managing cyber and IT risk. Many companies are setting new precedents in their company culture to address the changing IT and cyber risk landscape, and that kind of influence can only come from a top-down approach to cybersecurity. “In the history of accounting and finance, the CFO’s job has been to protect the company's assets. And what’s happened in the last few years is that the company's assets have moved from tangible assets like in-house IT and network servers, to the cloud. So protection of data is the number one concern I see,” says McEachern.
Lastly, in addition to support from security leaders, real-time analysis of vulnerabilities in a system can ensure a problem is found and minimized before escalating into a critical issue. It is becoming more and more evident that periodic risk assessment is not enough. Systems that are not consistently managed and monitored are vulnerable to attack. Look no further than the SolarWinds attack of late 2020 as evidence for this. The breach infected over 18,000 networks through a software update many do automatically with little or no thought.
The data breach included computers from the Department of Defense, Department of State, and many other high-profile U.S. organizations. Emails and servers were skimmed for data for months before the breach was detected. Although this is considered one of the most significant breaches in cybersecurity to date, with more careful and continuous monitoring, the threat could have been found much quicker.
The SolarWinds and Marriott attacks not only show how valuable continuous real-time analysis of systems can be, but they also demonstrate the enormous amount of risk that governments, companies, and businesses face on a day-to-day basis. By allocating resources in the budget for risk-based cybersecurity approaches, companies can keep not only their customers and data safe and secure; but also their bottom line.