November 28, 2016
Cybersecurity is an increasing concern in the enterprise as the number of high-profile breaches reported only grow each year. In 2015, there were a reported 781 data breaches in the U.S., making it the second highest year for security threats, according to data from the ISACA. And 40 percent of those data breaches happened in the business sector.
So it’s no surprise that Business Insider Intelligence reports an estimated $655 billion will be invested in cybersecurity initiatives between 2015 and 2020. However, in 2015, worldwide cybersecurity spending reached only $75.4 billion, according to Gartner, jumping to an estimated $2.77 trillion in 2016. Those numbers suggest that businesses are only just catching on to the importance of cybersecurity in the workplace, but are they too late?
“It’s a constantly evolving complexity, so I think it’s hard and even dangerous to think of it in terms of ‘I need to start now,’ because we’re at this watershed moment. Frankly, if you’re starting now, you’re already way behind,” says Ben DesJardins, director of security solutions at Radware.
Unlike technologies such as switched telephone networks (PSTN), where it “just made sense to wait and jump straight to wireless,” DesJardins says you can’t sit around waiting for the next best solution in cybersecurity to pop up because, “strong security builds upon solid foundations, core policies and processes for data availability, integrity and confidentiality.”
The cost of security
IBM estimates that the average cost of a security breach in 2016 is $4 million – up from $3.8 million in 2015. With massive revenue losses at stake, you might think that businesses are scrambling to invest as much as possible to protect corporate data. However, implementing the technology necessary to protect your business can often be just as expensive as a data breach, especially if you want to do it the right way.
But there’s a catch if you decide to wait a longer to establish your corporate security plan, says Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA’s board of directors and group director of Information Security for INTRALOT. The longer businesses wait to tackle cybersecurity initiatives, the more it will eventually cost them to implement in the future.
“The later cybersecurity is implemented, the higher the cost, especially in technology-intensive industries. Security by design is more cost-effective than security that is patched around systems, especially as far as healthcare data are concerned. Even if one puts aside the liabilities from a breach, the reputational impact to an organization can be enormous,” he says.
Not every business can create an unlimited security budget, like Bank of America did, but businesses are letting a lack of visible ROI and cost get in the way of protecting company assets. Board members must aggressively weigh the pros and cons of any initiatives the company decides to take on, and oftentimes that leaves IT settling for a solution that wasn’t the first choice but is more affordable, says Erica St-Pierre, Managing Director of the Information Technology division at The Execu|Search Group.
“In many instances, CIOs or other executives know exactly what product or solution would be the best fit for their company, but they cannot afford it. Companies have to make tough budgeting choices about existing programs and the overall allocation of funds in order to give cybersecurity initiatives the attention they know they deserve,” she says.