Cybersecurity: Prevention is Better than a Cure

Feb 11, 2020By Archis Gore

Few of us would argue with the idea that prevention is better than a cure. It’s a fundamental principle when it comes to our own health and wellbeing. A healthy lifestyle will help protect us from all kinds of bugs, diseases and illnesses. And it’s far less painful or costly tackling a problem before it gets started than having to diagnose and cure it once it’s taken hold.

“Prevention is better than a cure” is also a universal truth when it comes to cybersecurity.

Why? Mostly because the business impact of hacks and data breaches is just so enormous. The global average cost of each data breach is currently around $4 million, and the odds of any organization being compromised within two years is roughly 30%. I agree with Dmitri Alperovitch (Advisory Board Member of the RSA Conference): “The only companies not at risk are those who have nothing worth taking.”

At this point, you may be thinking this blog is solely focused on FUD and scare tactics. Trust me, it’s not. The numbers above are factual and realistic. They take into account everything from reputation damage, lost business, system downtime, customer turnover, legal and compliance fines, recovery costs, and a whole lot more. While large enterprises take the bigger hits, smaller companies struggle with disproportionate losses relative to their size. That means that a data breach can even result in the business failing.  

The conclusion is obvious: cybersecurity simply can’t be ignored or put on the back burner. A comprehensive and effective cyber defense strategy can save a fortune. For that reason alone, it’s an essential investment for every organization.

There is a problem, however. The CFO and other business leaders need to understand the Return on Investment (ROI) metrics before making significant capital investment decisions. Unfortunately, classic ROI is focused on generating more top-line profit, either by increasing revenue or lowering costs. This approach becomes problematic because Cybersecurity is focused on avoiding losses rather than generating greater profit. Quantifying the scale of potential losses can also be complicated. Here’s the normal formula:

Calculating Return on Security Investment (ROSI)

What’s needed is a more appropriate method for measuring and proving the benefits of the cybersecurity spend. That’s where the generally accepted Return on Security Investment (ROSI) equation comes in handy. It looks like this:

In this formula:

  • ALE is the Annual Loss Expectancy. It’s the expected financial loss to your organization due to security incidents if you did nothing.
  • Mitigation ratio is a measure reflecting the effectiveness of a security solution. It’s an estimate of the percentage of threats or attacks that will be blocked.

It’s still going to take some work to establish realistic estimates to include in this calculation. However, armed with this framework, making proposals for board-level approval becomes a whole lot easier. Given the risks involved, it’s obvious that making the right cybersecurity investments is imperative.

My conclusion? It’s not all doom and gloom. While cyberattacks are becoming more sophisticated and frequent, cybersecurity defenses are getting stronger and more innovative.  A comprehensive cybersecurity defense plan must primarily include robust prevention measures, combined with detection and recovery strategies.

Polyverse is totally focused on delivering innovation to the prevention side of this equation. Here are a couple of examples, both of which deliver outstanding ROI results:

  • Polymorphing for Linux stops 100% of zero-day memory day exploits. It stops everything in the code-execution, overflow or memory corruption attack categories.
  • Polyscripting for PHP removes the threat of code injection attacks that have been behind many of the most potent and devastating hacks to date.

If you’re planning on attending the RSA Conference in San Francisco this month and want to know more, why not stop by and talk to Polyverse. You’ll find us at Booth 09 in the Early Stage Expo.

We’ll look forward to seeing you there.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.