Why Cybersecurity Investments Fail: The Pitfalls of ROI-Focused Strategies
Uri Levy June 18, 2020
A recent survey conducted by Accenture has revealed that 80 percent of Australian businesses believe that their cybersecurity investments are failing. This shouldn’t be too big a shock: organizations have felt that their cybersecurity tech isn’t up to scratch for a very long time. In many cases, this isn’t an exaggeration. There are fundamental problems with the way that many organizations approach and measure cybersecurity; problems that are being compounded by new cloud services and third-party networks fragmenting the hybrid environment and, more recently, with the move to remote working expanding the size of the attack surface.
The Problem With ROI
For organizations to claim that their cybersecurity strategies are failing, they first need to have an idea of what success looks like. If they’re measuring the success of their cybersecurity program with the same metrics that they do with other parts of the business – like sales, marketing, customer service, etc. – they will end up with distorted perceptions.
ROI is a legitimate concern for all businesses. Any outlay, whether big or small, is made with an understanding that it will eventually pay out. As the need for greater cybersecurity investment increases – 62% of firms have said that they plan to increase cybersecurity spending in 2020 – businesses are naturally going to want to see a return on their investments.
While cybersecurity tools do deliver on ROI, it’s difficult to measure. The financial value that they offer is often rooted in the fines and ransoms that the business hasn’t been subjected to. The failures of any cybersecurity tool are obvious when a business falls victim to an attack, but the success of any preventative measures can go unnoticed. A successful cybersecurity program is a silent one.
Investing in Technology Alone Will Lead to Failure
While this may sound antithetical to fiscal-minded leaders, cybersecurity success shouldn’t be defined by ROI. This is a foundational mindset that needs to inform the motivation behind cybersecurity investments. Businesses need to stop buying technology that solves specific cybersecurity issues - investing in an isolated solution and expecting it will cure their security problems while delivering on profitability is a strategy that’s doomed for failure. Decisions, instead, need to be centered around investing in technology that integrates with the wider security ecosystem and can be used to provide focused protection while addressing the organization’s overarching cybersecurity needs.
Organizations that invest in technology over processes are constantly chasing their tails. The lifespan of development and technology stack cycles is a key factor behind the failure of many cybersecurity programs. We’re operating in a world that is constantly evolving. Look at cloud services - even two years ago, they hadn’t attracted anywhere near the level of attention that they are today. Now, cloud adoption has happened so rapidly that everyone is already moving on to pushing these services and associated cloud workloads to applications. This alone has brought about a whole new breed of cybersecurity issues.
If an organization still chooses to simply invest in point products to address these problems, they’re going to find themselves stuck in a never-ending cycle and they will be unable to achieve the levels of security that they need. And by the time the point product is installed – usually after waiting a long time for it to go through production and deployment – its use could already be outdated. This short-term view used by many to fix their cybersecurity pains will only ever lead to failure, both in terms of an inability to deliver ROI and to better secure the organization as a whole.
Build Success by Creating a Security Ecosystem
By switching from reactively investing in point products and focusing instead on developing a scalable and sustainable cybersecurity ecosystem, organizations will be better positioned for success. Developing effective processes may be much harder than making quick-fire technology investments, but when security teams can achieve visibility over their entire hybrid infrastructure, introduce automation that frees up resource to secure new digital transformation initiatives, and actively remediate their most exposed vulnerabilities, then they will create a fully integrated cybersecurity program that is demonstrably successful.
If silence is the measure of cybersecurity success, then noise – attacks, exploits, panic- is the hallmark of failure. The security team must limit this noise so that it doesn’t reach the boardroom. It’s also their responsibility to communicate how well they are performing at keeping out threats and to demonstrate success by being able to support the business’ wider digital transformation goals.
It’s impossible to achieve a fully-secured environment. But getting to a stage where longer-term strategic investments can be made to prevent future spend, reduce the need for unnecessary spend on additional point products, improve security posture and even tangentially increase ROI is fully possible, completely achievable, and wholly necessary.