They'll Wait for the Reality Check

How can we justify the investment in cybersecurity?

"Nothing bad has happened to us so far, and surely nothing will ever happen. We haven't had to spend millions on cybersecurity like those other firms. Poor, silly guys, they invest over and over again; they fritter away money on something that doesn't give them even a hint of tangible proof that it has served any purpose."

Full of the so-called optimism bias is whoever comes up with something like the above. "Luck," we could say, is what this person —let's suppose a CEO— and their company have banked on so far. However, if they hold that posture indefinitely, sooner or later, they will likely get a reality check, a big blow that could prove very costly. Investing in cybersecurity pays off, but, as discussed in this post, it can sometimes be tricky to make a case for it, both before and after it's made. (We exclude here those cases in which investment is already mandatory for a company to comply with requirements within its industry sector).

Dealing with investment in cybersecurity

Usually, the chief information security officers (CISOs) are tasked with persuading the directors or managers of their organizations to invest in security. CISOs can be bombarded before the investment by the executive sector with questions about the relevance of that investment and estimated returns and/or, after the investment, with requests for proof that it has been successful. The point is that responding convincingly to all this is often not a piece of cake.

Here, the typical pre- and post-investment cost-benefit analyses come into play. The latter include, for example, ROI (return on investment). ROI is a performance measure to determine how efficient or profitable an investment turned out to be. Specifically, it is a ratio between the return amount and the investment cost. So, if that value is positive, it's because the income was greater than the investment. The problem with using ROI is that we don't get tangible returns or monetary income from cybersecurity investment, as might be the case with investments in new product development and marketing campaigns.

In this area, it is more appropriate to speak of returns in terms of benefits, which are mainly linked to loss prevention and resource savings. Security, in fact, is more about protecting the ROI that can be achieved from other areas of an organization. Considering and analyzing these benefits and comparing them to the investment costs is how it's often suggested to make a case for investment in cybersecurity in order to convince executives, but this can be a complex undertaking.

Before deciding to invest

Cybersecurity involves all those activities aimed at protecting IT systems —including infrastructure, operations and data— belonging to an individual or organization against possible risks, threats and attacks. Contributing to that protection is the main benefit a company can receive by investing in cybersecurity. You only have to visit the website of a well-known newspaper or magazine that covers technology issues to discover headlines about successful cyberattacks perpetrated against organizations of all types and sizes around the world. Not all, but many of these victims tend to be those who do not invest "enough" in their security, and some may have invested almost nothing at all.

Read the full blog post here: https://fluidattacks.com/blog/justify-investment-in-cybersecurity/