For most companies, analyzing the economics of cybersecurity is elusive—and as many have told us, more of an art than a science. According to our Cybersecurity Imperative study of 1,300 worldwide executives last year, only 29% felt that their cybersecurity metrics were well understood by senior management and the board. About three-quarters were taking active steps to improve these metrics.
One stumbling block is that companies often do not measure the full costs of a cyber-attack. For example, one out of five companies surveyed do not measure reputational or opportunity costs, and another 11% do not measure the productivity losses from disruptions caused by risk events. Far fewer measure the upside of cybersecurity, which can speed up digital transformation, improve competitive positioning, and increase customer retention.
Yet another challenge for CISOs is quantifying what your losses would have been without your cybersecurity investment, which requires more sophisticated risk probability formulas. Say your company spends $5 million on cybersecurity in one year and sustains $3 million in losses from cyberattacks that year. At first glance, the ROI may seem negative. But if your company would have suffered $20 million in losses without that investment, then in this example, your firm would have seen a benefit of $17 million.
With our latest April 2018 cybersecurity pulse survey showing that companies plan to increase their cybersecurity investment by 23% over the next year, CISOs and their management teams need to have more clarity on the metrics of cybersecurity to make sure they make the right decisions and investments. Because of the secrecy around cybersecurity, CISOs across industries have told us that having access to proper benchmarking data is one of the biggest impediments they face.
Filling the data gap
That is why ESI ThoughtLab is teaming up again with Wall Street Journal Pro Cybersecurity and a multidisciplinary group of sponsors and advisors to conduct a rigorous study into the economics of cybersecurity. Our 2019 initiative, Driving Cybersecurity Performance will fill a wide information gap on the metrics of cybersecurity by gathering much-needed cybersecurity data from 1,000 CISOs across industries, sizes, and regions. This benchmarking data will include:
- Investment levels in people, process, and technology
- Budget allocations across the NIST framework: identify, detect, protect, respond and recover
- Organizational approaches and cybersecurity headcount and resources
- Performance results across a range of cybersecurity metrics
- Full costs of cyberattacks, including both direct and indirect costs, such as reputational and productivity losses
- The estimated ROI on these investments and risk probabilities of cyberattacks
We are now actively seeking sponsors, advisors, and participants for this ground-breaking research initiative. Please get in touch with Barry Rutizer, Corporate Director and Vice President of Client Relationships, if you would like more information on how your organization can get involved.