Cybersecurity investments: prioritizing the business case to boards

Over the last 20 years, I’ve heard many company executives and board of directors say they don’t have budgets for additional cybersecurity. However, once a breach occurs, funding for cybersecurity becomes an immediate business priority. And unfortunately, a majority of organizations will suffer a cyberattack at some point ― the question is at what cost.

Historically, it has been a challenge for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to present the business case for increased cybersecurity investments to board members. But that situation is changing given the startling increase in cyberattacks over the last several years and companies realizing that cybersecurity is not just an information technology (IT) issue but an organizational and business security risk and responsibility.

Recent Gartner research shows that 88% of boards regard cybersecurity as a business risk rather than solely a technical IT problem. Thirteen percent of boards have responded to this by instituting cybersecurity-specific board committees overseen by a dedicated director.

CEOs, C-suite executives, and board members are becoming more educated and engaged in cybersecurity decision-making as they realize that cybercrimes, such as ransomware and phishing, can severely impact operations, revenues, reputations, and potentially the livelihoods of the people and communities they serve.

According to a recent PwC 2022 Global Digital Trust Insights Survey, 69% of organizations predict a rise in cybersecurity spending in 2022 compared to 55% last year. More than a quarter (26%) predict cyber spending hikes of 10% or more in 2022, with over 50% of organizations expecting a surge in reportable incidents in 2022.

It’s my opinion that cybersecurity investments should be prioritized by business outcomes, rather than technology. For greater clarity of cybersecurity threats and impacts on business outcomes, there are several issues that CEOs, C-suite executives, and board members are addressing and assessing collectively with CISOs and CIOs:

1. Gaining full visibility and understanding of the IT environment to assess the vulnerability of the organization’s most critical, high-value assets.

2. Prioritizing the criticality of systems and data based on value and risk, by developing a hierarchy of assets based on the value to the organization, costs, and associated risks. Start by prioritizing assets based on high value commensurate with high risk.

3. Addressing vulnerabilities in the highest-value, highest-risk systems, assets, and data first. Where there are vulnerabilities, threats and attacks will follow. Prioritize vulnerabilities by either mitigating or eliminating the vulnerabilities.

4. Conducting proactive, disciplined cyber inventory and hygiene of all assets, systems, devices, and data to continuously record and monitor your organization’s IT infrastructure from an aggressive attacker’s perspective.

5. Develop and implement a well-prepared, well-practiced incident response plan for when a cyberattack occurs to help minimize damage. Understand there is no such thing as 100% security and that a cyberattack is likely going to happen sometime or somewhere in your organization so be prepared with a comprehensive response plan.

Secure experienced, battle-tested cybersecurity support

In small-to-medium-size businesses and organizations without a large cybersecurity team in-house, security may be a shared responsibility between two jobs or two departments. That’s why many state and local agencies, schools, healthcare organizations, and businesses partner with MGT Technology to provide comprehensive cybersecurity assessments and Managed Detection and Response (MDR) incident response services. These organizations want and need enterprise-level security expertise 24/7/365 based on the increased cyber threats targeted at state and local government, education, healthcare, and critical infrastructure.

MGT Technology’s mission is to drive social impact and improve lives by working with state and local government and education (SLED), public agencies, healthcare organizations, and businesses to increase resiliency to cyberattacks and protect the people they serve. From our experience in these markets, we help organizations understand and proactively detect and defend against the techniques, tactics, tools, and tell-tale signs of attackers in these specific environments.