Trishneet Arora is the founder and CEO of TAC securitya San Francisco-based Cybersecurity and Risk & Vulnerability Management Company.
Global digital transformation spend expected to reach $1.8 trillion by the end of 2022 and $2.8 trillion by 2025. Digital transformation has the potential to enable organizations to make better decisions faster, based on increasingly accurate data, and deliver products and services faster at scale.
But as with all business and technology trends, there is a downside. Digital transformation has also led to a transformation in network risk management. Data is the most important asset of many organizations; indeed, some have called data the new water: both are necessary for survival and must be accessible as well as clean. And as with water, data leakage can be catastrophic. Company data can be found everywhere, for example mobile phones, local cloud networks and USB sticks. Scattered data is often exposed data.
In this new reality of distributed data, companies are experiencing more breaches and breaches are becoming more expensive. An IBM-funded study found that by 2021, 83% of the organizations surveyed had more than one data breach, and the average cost of each breach has risen to $4.35 million, a record high. This increased risk of data breaches translates into more controls IT teams must put in place around people, processes and technology – the costs the organization must bear.
This raises questions: how much should an organization spend on cybersecurity? Should the organization purchase cyber insurance instead? Does it have to be both?
Types of Cyber Security Solutions
At the most basic level, cybersecurity solutions can be classified into three areas: preventive, detective and corrective. Preventive solutions, such as access control and zero trust, lock down a network at risk of a breach. Detective offerings include breaches as they occur, often allowing IT teams to study the hacker’s strategy, which can yield valuable forensic information. Corrective controls enable organizations to respond and recover from the breach. Cyber insurance is a corrective solution: Cover comes into effect after a data breach or other attack.
The questions business leaders should ask themselves then become: Should the organization invest in both cybersecurity controls and cyber insurance? If so, how much should it spend and what returns can it expect?
Balancing Your Cyber Risk Management Expenses
The core methodology for creating cyber risk management best practices includes five steps:
1. Creating and aligning a risk philosophy: This starts with identifying the organization’s activities and financial goals, followed by determining the organization’s risk tolerance and creating well-defined risk management goals.
2. Understanding Critical Risks: As hackers get more sophisticated, this can be tricky. IT teams need to identify current risks as well as those that will arise and evolve over time. Teams must then create a risk-impact analysis that quantifies the organization’s exposure.
3. Estimating Risk Costs: This includes quantifying the cost of cybersecurity risk across the organization, identifying and prioritizing both fixed and variable cost recovery initiatives, and creating a roadmap for implementation.
4. Generating Risk Finance Options: To understand risk remediation finance options, organizations need to analyze market options, develop a risk finance strategy, and adapt the organization’s current portfolio to that strategy. It is necessary to spend enough on controls to mitigate the worst cyber risks.
5. Minimize ongoing risk: This final step involves determining pre-loss mitigation, setting post-loss actions, and determining administrative costs.
Some of these steps are more complicated than others. For example, in a large organization, it can be very difficult to quantify all the costs of cyber risk, including business disruption, bitcoin ransom, and brand impact.
Strategies to Optimize Cyber Risk Management Financing
Cyber insurance helps soften the blow after an attack, but it does not replace implementing, managing and regularly updating an organization’s cybersecurity infrastructure. (Full disclosure: My company offers cybersecurity solutions, as do many others.)
IT teams need to tackle all layers in the stack to have a chance to fend off hackers. How much the team spends depends on the organization’s risk tolerance. With the mountains of data to analyze even within a medium-sized organization, automation of security controls and processes through frameworks such as Security Orchestration, Automation and Response (SOAR) is necessary.
As data becomes an increasingly important asset for more and more organizations, I see two trends emerging that are likely to accelerate:
1. Organizations focus on strategies to detect data usage patterns that can signal or predict breaches and attacks. They also accelerate the implementation of solutions that quickly contain and mitigate breaches and attacks. The goal is to more quickly identify data usage and business process anomalies, monitor third-party vendor activity, and better prepare for workplace disruptions when they occur.
2. Risk transfer is becoming an increasingly common strategy in organizations. I believe that risk transfer strategies, such as cyber insurance, will be adopted by more organizations in the face of major events such as political unrest, terrorism, more sophisticated cyber-attacks and climate change. As the demand for cyber insurance grows, look to the financial industry to innovate in creating new financial instruments to achieve an organization’s goal of transferring risk and monetizing it.
The question in the past has been: does my business need cybersecurity infrastructure or cyber insurance? The next question will be: how much of both elements does my organization need to address the next generation of threats?