Few of us would argue with the idea that prevention is better than a cure. It’s a fundamental principle when it comes to our own health and wellbeing. A healthy lifestyle will help protect us from all kinds of bugs, diseases and illnesses. And it’s far less painful or costly tackling a problem before it gets started than having to diagnose and cure it once it’s taken hold.
“Prevention is better than a cure” is also a universal truth when it comes to cybersecurity.
Why? Mostly because the business impact of hacks and data breaches is just so enormous. The global average cost of each data breach is currently around $4 million, and the odds of any organization being compromised within two years is roughly 30%. I agree with Dmitri Alperovitch (Advisory Board Member of the RSA Conference): “The only companies not at risk are those who have nothing worth taking.”
At this point, you may be thinking this blog is solely focused on FUD and scare tactics. Trust me, it’s not. The numbers above are factual and realistic. They take into account everything from reputation damage, lost business, system downtime, customer turnover, legal and compliance fines, recovery costs, and a whole lot more. While large enterprises take the bigger hits, smaller companies struggle with disproportionate losses relative to their size. That means that a data breach can even result in the business failing.
The conclusion is obvious: cybersecurity simply can’t be ignored or put on the back burner. A comprehensive and effective cyber defense strategy can save a fortune. For that reason alone, it’s an essential investment for every organization.
There is a problem, however. The CFO and other business leaders need to understand the Return on Investment (ROI) metrics before making significant capital investment decisions. Unfortunately, classic ROI is focused on generating more top-line profit, either by increasing revenue or lowering costs. This approach becomes problematic because Cybersecurity is focused on avoiding losses rather than generating greater profit. Quantifying the scale of potential losses can also be complicated. Here’s the normal formula:
What’s needed is a more appropriate method for measuring and proving the benefits of the cybersecurity spend. That’s where the generally accepted Return on Security Investment (ROSI) equation comes in handy. It looks like this:
In this formula:
It’s still going to take some work to establish realistic estimates to include in this calculation. However, armed with this framework, making proposals for board-level approval becomes a whole lot easier. Given the risks involved, it’s obvious that making the right cybersecurity investments is imperative.
My conclusion? It’s not all doom and gloom. While cyberattacks are becoming more sophisticated and frequent, cybersecurity defenses are getting stronger and more innovative. A comprehensive cybersecurity defense plan must primarily include robust prevention measures, combined with detection and recovery strategies.
Polyverse is totally focused on delivering innovation to the prevention side of this equation. Here are a couple of examples, both of which deliver outstanding ROI results:
If you’re planning on attending the RSA Conference in San Francisco this month and want to know more, why not stop by and talk to Polyverse. You’ll find us at Booth 09 in the Early Stage Expo.
We’ll look forward to seeing you there.