The Economics of Cybersecurity

By Paul Lehman


Cybersecurity Risk Management Online Article

For many directors and business executives, cybersecurity spending has long been a mystery. Understanding where to invest, how much to invest and, most importantly, the return on that investment has been largely a guessing game. It is also how cybersecurity has earned the reputation of being a “black hole of spending”—chief information security officers (CISOs) continuously request more budget to stay apace of the constantly changing threat landscape, but there is little clarity around how that budget actually delivers value to a company.

If cybersecurity is a black hole, then it is also expanding rapidly while devouring ever-more money. Gartner projects that spending on cybersecurity products and services will hit $124 billion in 2019, an 8.7 percent year-over-year increase. This dwarfs Gartner’s projected 1.1 percent increase in overall IT spending for 2019.

The Business Consequences Aren’t Always Clear

Much of cybersecurity spending has been on technologies built to identify and mitigate risks—and the tech industry has eagerly fueled this phenomenon: for every new threat, there’s a new technology to deploy and manage. This has created a cost and complexity problem in many enterprises. Organizations have deployed so many technologies to keep up with cyber risks that they struggle to manage it all, which, ironically, can leave companies open to attack when systems are not configured and supervised properly. So today, we see a situation in which all of this spending on cybersecurity technology has not curbed the data breach epidemic, is not reducing enterprise cyber risk, and executive leadership and boards are struggling to understand how cybersecurity investments translate into tangible business benefits.

Bringing Clarity to Cybersecurity  

This situation must change. Organizational competency in cybersecurity impacts everything from customer trust, to competitive position, to implementing innovation and increasing earnings per share. The good news is, it is possible to manage cybersecurity like other business functions. It’s possible to quantify cybersecurity risk, and to understand the investment required to mitigate that risk. And, it’s possible to deliver the financial data required for company leadership to treat cybersecurity for what it is: a potential business driver. The key to all of this is for companies to move away from their technology-centric approach to cybersecurity, and instead adopt a risk-centric approach. Instead of trying to combat every conceivable attack with technology, C-suite executives and boards should develop an enterprise cyber-risk model that identifies and prioritizes what most needs to be protected, from whom it needs to be protected, and what controls are necessary to deliver that protection.

Quantifying Cyber Risk

Once that risk model has been established, organizations can make logical financial decisions around specific assets, focused on four dimensions:

  • Expected Loss—The potential cost of remediation for an IT asset’s compromised security. For example, one could calculate the cost of a customer database breach based on industry data around other organizations’ breach recovery efforts. 

  • Cost of Control—The technology, services, and personnel costs needed to implement and maintain the security control required to protect against an IT asset being compromised.

  • Effectiveness of Control—The benchmark for a control’s ability to keep the asset secure. For example, if industry data shows a control is 95% effective, then that can be factored into calculating the probability for a loss once the control has been implemented.

  • Return on Control—The previous three data points can be used to calculate the overall return on the control. Obviously, the controls with the highest returns are the ones to invest in first.

With this type of return-on-control information, CISOs should be able to secure budgets and staffing when meeting with executives and board members. More importantly, with an economic framework around cybersecurity, executives can begin managing it like they do other business disciplines such as sales, marketing, and product development. Investment decisions can be made based on risk-analysis rather than best guesses, and cyber risk will become a measurable that can be reported to investors and the marketplace. When that happens, markets will reward the organizations that manage cyber risk most effectively and transparently.

Paul Lehman
Paul Lehman is chief information officer at Optiv.