Getting A Return On Cybersecurity Investment

How do you measure what you cannot see? This is the conundrum facing countless businesses as they grapple with the current cybersecurity landscape.

Too often the real value of a cybersecurity tool isn’t realised until a business becomes the victim of a data leak or breach. A successful cyberattack is also the moment when many businesses finally realise that their cybersecurity solutions aren’t up to par, or that they’re lacking focus in a specific area. 

This retroactive approach to cybersecurity is extremely damaging to businesses, so much so that it has prompted the UK government to consider mandating specific cybersecurity objectives for private companies to keep their data and employees safe. Those mandates are yet to materialise, but in 2024 the government did progress its Cyber Governance Code of Practice to help business boards shore up their cyber resilience. Similar efforts are being seen internationally. In the European Union (EU), the updated NIS2 Directive now imposes stricter cybersecurity requirements across industries, requiring companies to report incidents and implement measures to mitigate risks. Meanwhile, the US Securities and Exchange Commission (SEC) has introduced rules obligating publicly traded companies to disclose incidents in a bid to enhance transparency and accountability.

The problem businesses are facing is twofold: How do you select and measure the return on investment of cybersecurity tools, and how do you get buy-in at every level of the business to ensure that cybersecurity is more than just an afterthought? 

The cybersecurity marketplace is a confusing area for businesses. There are more than 5.5 million businesses in the UK, and around 99% of those businesses are classed as SMEs. Among those SMEs, 90% are “microbusinesses” or sole traders. While small businesses and start-ups might have the drive, ambition and agility to move quickly and respond to market demands, they almost always lack the knowledge and experience to effectively implement cybersecurity solutions that align with their objectives.  

In a 2024 survey, Zivver asked 250 security decision makers about their primary security challenges. Nearly half (47%) said they found it difficult to keep up with data security technologies, more than one-third (39%) cited regulation and compliance as a key concern, and 36% said they were concerned about a lack of security awareness and understanding among employees.

This is troubling, particularly when you consider the sheer number of applications, end-points, and distributed workers that businesses now typically deal with.

According to one report, more than 50% of employees have seen the number of collaboration tools in their company increase in the last two years – that opens the door to a lot of potential threat vectors, particularly where outbound threats such as data leaks and human error are concerned. 

Outbound Versus Inbound Threats

Measuring the return on investment for cybersecurity tools is complex, but at least where inbound threats are concerned – external threats where businesses are targeted or impacted – there are some useful KPIs that can be tracked. For instance, a business with integrated cybersecurity might be able to track how many threats were identified on their network in a given period of time and infer the effectiveness of their tools. There will still be challenges associated with communicating or “proving” these benefits to leaders in the boardroom, but it is easier to build a persuasive case. 

That case is more difficult to make when it comes to measures closely associated with stopping outbound threats. Outbound threats refer to instances where sensitive data leaves the business in an unauthorised fashion. Sometimes this is purposeful, such as a disgruntled employee stealing or leaking data, but more often it’s accidental – an erroneously sent email, a laptop left unguarded, or a phishing scam orchestrated by a third party that tricks an employee into revealing sensitive information.

To mitigate outbound threats, businesses need to consider things like employee awareness training, blocking untrusted domains, and intelligently filtering emails. It’s often much harder to gauge the efficacy of these measures, and too often businesses blame the human workers involved rather than the systems or cultures within the business. 

Humans Are Both The Strongest & Weakest Link

Humans are really the last line of defence for an organisation. They can be easily scapegoated as a weak link, but with the right tools and training in place they can easily be turned into the strongest link in an organisation’s defensive chain.

Bridging the gap between users and technology,  is the real key to unlocking cybersecurity returns. 

Take emails as a specific example. 80% of data leaks are caused by employee behaviour, where sensitive data is leaked, lost, or shared with unauthorised individuals. What’s more, two-thirds of organisations impacted by email-based data loss have to cease operations to mitigate the risk and remediate the threat. Organisations can train employees to spot phishing emails and put guidelines in place to ensure that data is only shared between authorised parties, but it’s almost impossible to gauge the ROI of these measures because their influence is qualitative rather than quantitative. But if that same organisation were to add a form of technology into the mix, such as automatic encryption or machine-learning algorithms that can detect sensitive content or attachments and provide a warning before emails are sent, the return on investment becomes clearer. This human-technology bridge can offer metrics such as how many emails are being sent with encrypted information, where potential breaches may be about to occur, and how compliant the company’s email protocols are with its overall security posture. 

This technology can empower humans to become one of the strongest links in the defensive chain, and part of this empowerment is gaining visibility into key metrics so that the efficacy of their cybersecurity strategy can be more accurately measured.

Cybersecurity Isn’t A box Ticking Exercise, It’s A Culture

A big part of measuring the ROI of preventative cybersecurity is getting buy-in from leadership and the vendors themselves. Frank mentions the need for daily maintenance and validation to ensure that a solution is performing as promised and is still up to par. By asking vendors whether they are compliant with ISO 27001 (an international standard that outlines requirements for information security management), Frank argues that businesses are practically 80% there when it comes to selecting a suitable vendor. 

Another key factor is business culture. Too many businesses have a culture that punishes staff for clicking on a fraudulent link or falling victim to a phishing scam. Far from being productive, this only makes it less likely that staff will come forward when a mistake is made, leaving more time for damage to occur and less time for incident management and control. No amount of technology will fix this; it’s vital that businesses create a pro-people culture when it comes to cybersecurity if they are to see any kind of return on their cybersecurity investments.

Organisations should create a baseline of transparency and trust, where employees feel safe in putting their hands up when they’ve made a mistake before they consider investing in supplementary tools to keep their data safe. 

Treating employees as a “risk that needs to be mitigated” is old-hat thinking. Employees shouldn’t be blocked from accessing key information or working efficiently under the guise of “good” security. Instead, IT leaders should pivot toward cybersecurity solutions that can keep data safe without disrupting workflows, monitoring the flow of information and ensuring those that need access have access. 

Viewing employees as a "risk that needs to be mitigated" is an outdated approach and can sometimes be more harmful to organisations.

Employees shouldn’t be restricted from accessing key information or working efficiently under the guise of "good" security. Instead, IT leaders should adopt a right-sized approach to security, tailoring protections based on the specific needs and risks associated with each employee's role.

Moving away from ‘one-size-fits-all’ methodology will ensure that data remains secure without disrupting workflows. By monitoring the flow of information and ensuring that only those who need access have it, organisations can balance robust security with operational efficiency.

Frank Horenberg is Head of IT at Zivver and and Simon Newman is a  Co-Founder of Cyber London

Image:  

You Might Also Read: 

Too Many Tools - Cybersecurity Professionals Feel Out Of Control:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Dark Data Helps Boost Business
Teach Your Children About Safer Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

GigaOm

GigaOm

GigaOm's mission is to provide enterprises with information and analysis to help them make better decisions about technology.

DeviceLock

DeviceLock

DeviceLock is a leading provider of endpoint device/port control and data leak prevention software.

Cyber Indemnity Solutions (CIS)

Cyber Indemnity Solutions (CIS)

CIS is an InsurTech company focused on licensing innovative cyber risk insurance solutions to the global insurance industry.

CyberVista

CyberVista

CyberVista is a cybersecurity training education and workforce development company. Our mission is to eliminate the skills gap by creating job ready professionals.

DocAuthority

DocAuthority

DocAuthority automatically discovers and accurately identifies unprotected, sensitive documents, enabling a broad yet business-friendly security policy.

NovaTech Automation

NovaTech Automation

NovaTech products and services make the world’s power grids and essential process industries more reliable, efficient, sustainable and secure.

SentryBay

SentryBay

SentryBay is a real-time data security company developing technology for PC, mobile, the cloud and IoT.

CloudMask

CloudMask

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks sensitive data, structured or non-structured, in real-time.

VIPRE Security Group

VIPRE Security Group

VIPRE Security Group is an award-winning global cybersecurity, privacy and data protection company.

OpenZeppelin

OpenZeppelin

OpenZeppelin builds developer tools and performs security audits for distributed systems that power multimillion-dollar economies.

Tyler Technologies

Tyler Technologies

Tyler Technologies is a leading provider of end-to-end information management solutions and services for local governments.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

ClearHub

ClearHub

The aim of ClearHub is simple: to give businesses like yours access to the best talent, all screened and technically tested by Clearvision’s expert team.

OccamSec

OccamSec

OccamSec is a leading provider in the world of cybersecurity. We provide accurate, actionable information to reduce risk and enable better informed decisions.

FutureRange

FutureRange

Specialising in IT Managed Services, Cybersecurity and Digital Transformation, FutureRange experts provide professional IT services for clients throughout Ireland and beyond.

Evolve Business Group

Evolve Business Group

Evolve is an independently-owned managed network solutions provider, creating bespoke packages for customers globally since 2005.