Last week at Black Hat, Las Vegas, a lot of important cybersecurity topics came about. One that is worth mentioning is how organizations can’t stop spending on cybersecurity in favor of cyber-insurance. It makes sense to security pros who understand all that risk management entails, but it also makes sense that a CEO would think cyber-insurance can protect them from financial downfall. Also, it seems way easier to invest in one thing versus having to dive deep into a holistic security posture.
The tendency for quick fixes is something we’re all familiar with. It tends to be something a business looks for so that they can find a one stop solution, which makes them feel safe and that requires little investment and time on their end.
Interestingly enough though, in 2015 the world-wide spend for cybersecurity was at $75 billion and it’s estimated that by 2018 this amount will be $101 billion (Gartner). Furthermore, research firm Markets and Markets expects the cybersecurity market to hit $170 billion by 2020.
So, organizations are spending on cybersecurity, but where is that spending going? If we want to tie back to quick fixes, we find that a lot of executives are investing in security technology and cyber-insurance plans. Less, spending goes to implementing security training and business continuity plan drills. In our years of assisting organizations to build solid security programs, we have found a high number of vulnerabilities left untouched. Most times for the lack of knowledge and resources. With the appropriate guidance, these organizations were back on the right track.
It isn’t that businesses shouldn’t spend on security technology or cyber-insurance, but being aware that limiting your security budget to these components won’t do the trick in getting ahead of your risks. The reason is that cyber threats evolve and technology can only do so much, not to mention the fact that security products have their own vulnerabilities.
Advancements in technology allows for some security automation, but it can never replace the expertise of security professionals who can think like a hacker and know what to look for when assessing the vulnerabilities of an organization’s physical and network environment.
As for cyber-insurance, even though it may help businesses cover some of breach costs, it doesn’t protect sensitive data. It also doesn’t cover all types of breaches, and sometimes in the fine clauses you will find that it might not cover any cost if the organization hasn’t taken the necessary security measures to be compliant and show a good security posture.
Running a business requires continuous evolution, especially in an era of transformation. Acknowledging one’s weaknesses is ok; that’s what experts are for, they fill in for the CEO or CIO or other executive leader in those areas that are uncharted waters. It takes team work and collaboration to create a solid foundation, this is the same for an organization’s risk management approach.
Photo courtesy of Nata-Lia