Chief Information Security Officers are increasingly being tasked with improving cybersecurity while cutting costs. Image: Getty Images/iStockphoto
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:
Listen to the article
- Ransomware attacks have increased by 20% in just one year, according to research by Check Point.
- But even as cyber risks rise, Chief Information Security Officers are under pressure to cut costs.
- Here's how they can balance these two pressures by using their tools as effectively as possible while prioritizing innovation.
Cyber risks are growing worldwide, and cyber criminals are now using AI to aid their activities.
Ransomware attacks alone have increased 20% year-over-year, according to Check Point, alongside an increase in the rate and sophistication of these attacks. Today, 86% of business leaders believe that global geopolitical instability is moderately or very likely to lead to a catastrophic cyber event in the next two years.
At the same time, Chief Information Security Officers (CISOs) face mounting pressure to reduce cybersecurity spending in the face of changing economic headwinds.
The good news is that while fiscal prudence can be challenging and may seemingly present unrealistic expectations, cybersecurity professionals can absolutely achieve more with less.
Cybersecurity: Seven ways to do more with less
Here are seven ways CISOs can reduce cybersecurity spending without compromising security:
1. Optimize existing solutions
Organizations are often licensed for a cyber capability but have not turned it on. Other organizations need to upgrade their versions to ensure they have all current features available.
Many partners and vendors offer consultation and educational resources to help security professionals fully understand and utilize the capabilities inherent in existing cybersecurity tools. There may be instances where expanded use of one tool could allow CISOs to replace and eliminate another tool, simplifying operations and lowering costs.
2. Review in-source and out-sourced cybersecurity efforts
Some organizations leverage third-party groups for specific cyber security work, but, despite the obstacles, it may prove less expensive to bring those specialities in-house. Or conversely, your enterprise may have a handful of tasks that would be more cost-effective for an MSP (Managed Service Provider) or MSSP (Managed Security Service Provider) to take care of. Organizations should consider running differential cost analyses to review in-source and out-sourced cybersecurity efforts.
It is also imperative that organizations build and maintain a strong cybersecurity culture via employee awareness and continuous training. As per the World Economic Forum's 2023 Cybersecurity Outlook, "an organization's cyber capabilities grow with its employees' understanding of cyber risks and their role and responsibility in helping to manage them." Ensuring employees are aware of the latest attacks and how to prevent them is essential.
3. Consolidate cybersecurity tools
Consolidating cybersecurity solutions increases security effectiveness and staff morale, shortens playbooks, reduces training and certification efforts and reduces spending. It can also drive revenue. A study by Dimensional Research and Check Point found that 49% of all organizations use between 6- and 40-point security products, while 98% of organizations manage their security products with multiple consoles, creating visibility blind spots.
4. Test and augment resiliency measures
Despite maintaining strong cyber security teams, global enterprises continue to experience highly disruptive cyber incidents. Continued investments in backup capabilities and other cyber disaster recovery measures can save on spending in the event of a breach. Security teams should have an up-to-date Incident Response plan and test it quarterly. They should ensure that all Critical and High vulnerabilities are patched or have adequate compensation control.
Should companies need to secure additional budget for this, they can justify the cost by highlighting the potential downsides in revenue, reputational impact, business outage costs, and risks of under-investing in this part of a cyber security plan. Many companies use the FAIR approach to justify security spending.
5. Automate and tune tools
Some tools may already have automation capabilities, so CISOs should identify wasted human efforts and time and automate those first. For example, if an organization sees high amounts of false positives that are wasting time or being ignored, this could be a sign that something needs to change. According to IBM’s Cost of a Data Breach Report, organizations that leverage fully deployed AI and automation save $3.05 million per data breach compared to organizations that fail to use these tools. In other words, enterprises that pursue AI and automation can save as much as 65.2% on breach expenses.
6. Never trust, always verify
Zero Trust is a security model based on the principle of “never trust, always verify.” Leveraging the Zero Trust framework from NIST reduces the risk of cyber breaches, as it prevents cyber attackers from exploiting excessive permissions and lack of network segmentation. In some cases, implementing a Zero Trust security strategy has delivered a 92% return on investment with a payback period of less than half a year. Zero Trust can lower the probability of a data breach by as much as 50%. Critically, Zero Trust is a journey and an approach, not a single product.
7. Think prevention-first
Many security tools “detect” rather than “prevent” issues. Detection is too late with the speed of the attack leading to exfiltration and/or encryption blackmail and negatively impacting business. Preventing a disaster is far more cost-effective than responding to a disaster. The average cost of a data breach is $4.35 million, and enterprises in the healthcare and finance space often incur much higher costs than average. Quantification of prevention-first ROI must be based on how much loss organizations could avoid with a prevention-first approach. When crunching the numbers, a prevention-first-oriented security programme wins the day.
How is the Forum tackling global cybersecurity challenges?
Innovation and opportunity in cybersecurity
Organizations can prepare for and still succeed despite slashed cybersecurity budgets. Cybersecurity is all about innovation and staying a step ahead of cybercriminals. To that effect, budgetary limitations represent an opportunity to approach security in innovative, new ways to achieve more substantial outcomes.
Strong cybersecurity and resiliency are attainable. By implementing the steps above, along with building a strong culture of security in the workplace with employees, ensuring good cyber hygiene and processes and consolidating and optimizing technology solutions, it is possible to do more with less.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
The views expressed in this article are those of the author alone and not the World Economic Forum.
More on CybersecuritySee all
February 22, 2024
February 21, 2024
February 21, 2024
February 19, 2024
February 15, 2024
February 15, 2024