Getting A Return On Cybersecurity Investment

How do you measure what you cannot see? This is the conundrum facing countless businesses as they grapple with the current cybersecurity landscape.

Too often the real value of a cybersecurity tool isn’t realised until a business becomes the victim of a data leak or breach. A successful cyberattack is also the moment when many businesses finally realise that their cybersecurity solutions aren’t up to par, or that they’re lacking focus in a specific area. 

This retroactive approach to cybersecurity is extremely damaging to businesses, so much so that it has prompted the UK government to consider mandating specific cybersecurity objectives for private companies to keep their data and employees safe. Those mandates are yet to materialise, but in 2024 the government did progress its Cyber Governance Code of Practice to help business boards shore up their cyber resilience. Similar efforts are being seen internationally. In the European Union (EU), the updated NIS2 Directive now imposes stricter cybersecurity requirements across industries, requiring companies to report incidents and implement measures to mitigate risks. Meanwhile, the US Securities and Exchange Commission (SEC) has introduced rules obligating publicly traded companies to disclose incidents in a bid to enhance transparency and accountability.

The problem businesses are facing is twofold: How do you select and measure the return on investment of cybersecurity tools, and how do you get buy-in at every level of the business to ensure that cybersecurity is more than just an afterthought? 

The cybersecurity marketplace is a confusing area for businesses. There are more than 5.5 million businesses in the UK, and around 99% of those businesses are classed as SMEs. Among those SMEs, 90% are “microbusinesses” or sole traders. While small businesses and start-ups might have the drive, ambition and agility to move quickly and respond to market demands, they almost always lack the knowledge and experience to effectively implement cybersecurity solutions that align with their objectives.  

In a 2024 survey, Zivver asked 250 security decision makers about their primary security challenges. Nearly half (47%) said they found it difficult to keep up with data security technologies, more than one-third (39%) cited regulation and compliance as a key concern, and 36% said they were concerned about a lack of security awareness and understanding among employees.

This is troubling, particularly when you consider the sheer number of applications, end-points, and distributed workers that businesses now typically deal with.

According to one report, more than 50% of employees have seen the number of collaboration tools in their company increase in the last two years – that opens the door to a lot of potential threat vectors, particularly where outbound threats such as data leaks and human error are concerned. 

Outbound Versus Inbound Threats

Measuring the return on investment for cybersecurity tools is complex, but at least where inbound threats are concerned – external threats where businesses are targeted or impacted – there are some useful KPIs that can be tracked. For instance, a business with integrated cybersecurity might be able to track how many threats were identified on their network in a given period of time and infer the effectiveness of their tools. There will still be challenges associated with communicating or “proving” these benefits to leaders in the boardroom, but it is easier to build a persuasive case. 

That case is more difficult to make when it comes to measures closely associated with stopping outbound threats. Outbound threats refer to instances where sensitive data leaves the business in an unauthorised fashion. Sometimes this is purposeful, such as a disgruntled employee stealing or leaking data, but more often it’s accidental – an erroneously sent email, a laptop left unguarded, or a phishing scam orchestrated by a third party that tricks an employee into revealing sensitive information.

To mitigate outbound threats, businesses need to consider things like employee awareness training, blocking untrusted domains, and intelligently filtering emails. It’s often much harder to gauge the efficacy of these measures, and too often businesses blame the human workers involved rather than the systems or cultures within the business. 

Humans Are Both The Strongest & Weakest Link

Humans are really the last line of defence for an organisation. They can be easily scapegoated as a weak link, but with the right tools and training in place they can easily be turned into the strongest link in an organisation’s defensive chain.

Bridging the gap between users and technology,  is the real key to unlocking cybersecurity returns. 

Take emails as a specific example. 80% of data leaks are caused by employee behaviour, where sensitive data is leaked, lost, or shared with unauthorised individuals. What’s more, two-thirds of organisations impacted by email-based data loss have to cease operations to mitigate the risk and remediate the threat. Organisations can train employees to spot phishing emails and put guidelines in place to ensure that data is only shared between authorised parties, but it’s almost impossible to gauge the ROI of these measures because their influence is qualitative rather than quantitative. But if that same organisation were to add a form of technology into the mix, such as automatic encryption or machine-learning algorithms that can detect sensitive content or attachments and provide a warning before emails are sent, the return on investment becomes clearer. This human-technology bridge can offer metrics such as how many emails are being sent with encrypted information, where potential breaches may be about to occur, and how compliant the company’s email protocols are with its overall security posture. 

This technology can empower humans to become one of the strongest links in the defensive chain, and part of this empowerment is gaining visibility into key metrics so that the efficacy of their cybersecurity strategy can be more accurately measured.

Cybersecurity Isn’t A box Ticking Exercise, It’s A Culture

A big part of measuring the ROI of preventative cybersecurity is getting buy-in from leadership and the vendors themselves. Frank mentions the need for daily maintenance and validation to ensure that a solution is performing as promised and is still up to par. By asking vendors whether they are compliant with ISO 27001 (an international standard that outlines requirements for information security management), Frank argues that businesses are practically 80% there when it comes to selecting a suitable vendor. 

Another key factor is business culture. Too many businesses have a culture that punishes staff for clicking on a fraudulent link or falling victim to a phishing scam. Far from being productive, this only makes it less likely that staff will come forward when a mistake is made, leaving more time for damage to occur and less time for incident management and control. No amount of technology will fix this; it’s vital that businesses create a pro-people culture when it comes to cybersecurity if they are to see any kind of return on their cybersecurity investments.

Organisations should create a baseline of transparency and trust, where employees feel safe in putting their hands up when they’ve made a mistake before they consider investing in supplementary tools to keep their data safe. 

Treating employees as a “risk that needs to be mitigated” is old-hat thinking. Employees shouldn’t be blocked from accessing key information or working efficiently under the guise of “good” security. Instead, IT leaders should pivot toward cybersecurity solutions that can keep data safe without disrupting workflows, monitoring the flow of information and ensuring those that need access have access. 

Viewing employees as a "risk that needs to be mitigated" is an outdated approach and can sometimes be more harmful to organisations.

Employees shouldn’t be restricted from accessing key information or working efficiently under the guise of "good" security. Instead, IT leaders should adopt a right-sized approach to security, tailoring protections based on the specific needs and risks associated with each employee's role.

Moving away from ‘one-size-fits-all’ methodology will ensure that data remains secure without disrupting workflows. By monitoring the flow of information and ensuring that only those who need access have it, organisations can balance robust security with operational efficiency.

Frank Horenberg is Head of IT at Zivver and and Simon Newman is a  Co-Founder of Cyber London

Image:  

You Might Also Read: 

Too Many Tools - Cybersecurity Professionals Feel Out Of Control:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Dark Data Helps Boost Business
Teach Your Children About Safer Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ITpreneurs

ITpreneurs

ITpreneurs provides IT training content, Instructors, Learning Infrastructure and services to IT Training providers.

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

VTT Technical Research Centre of Finland

VTT Technical Research Centre of Finland

VTT is the leading research and technology company in the Nordic countries. Areas of activity include cyber security.

Raz-Lee Security

Raz-Lee Security

Raz-Lee Security is the leading security solution provider for IBM Power i, otherwise known as iSeries or AS/400 servers.

Arcanum Information Security (AIS)

Arcanum Information Security (AIS)

Arcanum Information Security is a specialist Information Assurance Consultancy and a leading provider of Cyber Security services to UK Defence, UK Government, Enterprise businesses and SMEs.

adaware

adaware

adaware is an award-winning security and privacy software provider, empowering users to connect with confidence.

UKAS

UKAS

UKAS is the national accreditation body for the UK. The directory of members provides details of organisations offering certification services for ISO 27001.

Clario Tech

Clario Tech

Clario is a simple, comprehensive, personalized protection app. It comes with a full suite of intelligent security software and intelligent people to help you live a better, safer digital life.

InfoSystems Inc

InfoSystems Inc

InfoSystems provides reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations.

AlJammaz Technologies

AlJammaz Technologies

AlJammaz Technologies is the leading Technology Value-Added Distributor, which distributes advanced technology products, solutions and services in area including networking and cybersecurity.

Diligent

Diligent

Diligent's SaaS GRC platform gives leaders a connected view of governance, risk, compliance and ESG across their organization.

Sekur Private Data

Sekur Private Data

Sekur Private Data Ltd. is a Cybersecurity and Internet privacy provider of Swiss hosted solutions for secure communications and secure data management.

SektorCERT

SektorCERT

SektorCERT is the cybersecurity center for the critical infrastructure sectors in Denmark. We help detect and handle when critical infrastructure is exposed to cyber attacks.

InnovateHer

InnovateHer

At InnovateHer, our vision is to make the tech sector more equitable, by increasing diversity across the spectrum and creating more inclusive workplaces.

Liverton Security

Liverton Security

Liverton Security is a New Zealand-owned cyber security provider offering consultancy and security-related products to government and commercial customers throughout New Zealand.

Symbiotic Security

Symbiotic Security

Symbiotic Security revolutionizes code security by integrating an AI-driven security coach directly within developers' IDEs.