The results of the Hiscox Cyber Readiness Report are in, and it appears that seven of 10 organizations currently fail the cybersecurity readiness test.
That's not all: 69 percent of respondents currently see cyberthreats as the top risk to their organizations. Meanwhile, large businesses lose, on average, $1.05 million every year to cybercrime, while midsize businesses lose $578,762 in the same period, and small businesses lose $34,604.
So what does it all mean? For one thing, not nearly enough organizations are prepared to handle the onslaught of cybercrime, and the result is direct monetary harm – not including reputational damages, of course.
Secondly, organizations of all sizes need to very careful about where they spend their next dollar on cybersecurity. It's promising that, according to the report, nearly 60 percent of respondents intend to increase security spending by 5 percent or more in the year ahead. Nevertheless, throwing money into "the latest and greatest" solutions or managed services won't necessarily yield the desired results.
Cybersecurity is a business problem, and like most business problems, the solution that organizations invest in should be deliberately chosen for its demonstrable ability to generate ROI over time.
More of the wrong technology is a recipe for disaster
The first thing any CISO should look at when considering security investments are the operational requirements tied to a given resource. In other words, how much additional time and effort will be required before you actually see value?
When it comes to cybersecurity, the rule of thumb has historically been that more tools means more time spent managing those tools.
For example, deploying a security information and event management (SIEM) system is obviously nonsensical if you lack the in-house security expertise needed to properly configure, tune, and manage it. Simple enough, right?
Consider what happens, though, as you integrate more solutions to your existing SIEM. The amount of log flow data continually increases, and it eventually risks reaching a point where there's just too much data, too many alerts and not enough security analysts to deal with them.
In fact, the infamous Target breach of 2013, which compromised 70 million customers' private data, only happened because the retailer missed internal alerts. It's $1 million anti-malware system worked, but the alert wasn't given the attention it needed.
And as anyone who's paid even an iota of attention to hiring trends already knows, the problem isn't as simple as just hiring a few more security analysts. These professions are in low supply and high demand, and the annual asking price for their full-time service is high and getting higher.
So like we were saying: Be careful you pay for. You need technology that will give you more value – one that, rather than demanding more of your existing security resources, helps you maximize their efficacy.
The right less, on the other hand, is a fast-track to ROI
First, we recommend investing in your people, and not just for the purposes of retaining your security analysts. So many attacks only occur because users are manipulated by phishing scams into taking certain actions that give hackers a way in. Taking time, perhaps just 30 minutes once or twice a month, to impart best security practices on employees can go an incalculably long way toward improving security posture, and at almost no cost.
Next, you'll need to look at your next security investment from your analysts' point-of-view. They're already inundated with alerts, and that alone increases the risk of false negatives (aka misses) that can harm your organization. So how then, do you make sure that the only alerts that reach your security analysts are the alerts that are worth their time and expertise?
That brings us to our second key recommendation: Deploy a security automation platform that deeply contextualizes log data to filters out false alarms, and self-improves based on human security analyst feedback. Not only does this make better use of your most valuable existing resource (human expertise), but it also gives you a security investment that appreciates in value.
The longer your security automation platform is in use, the better it gets at weeding out false alarms. The better it gets at weeding out false positives, the better it gets at bringing potential false negatives to the attention of your analysts. Over time, this results in self-sustaining, long-term ROI on your security spend – and holistically enhanced security posture, to boot.