At a time when corporate budgets are already under pressure, companies are experiencing unprecedented cyber threats since the onset of COVID-19. The rapid acceleration of digital transformation and work-from-home has created an unparalleled increase in strains on corporate IT networks. Some of these operational shifts will prove permanent.
For companies that execute well, these transformations offer enormous benefits in terms of improved efficiencies, productivity, and cost savings. The downside, though, is that the risks grow as a companies’ most valued assets have been digitized.
With the increasing business importance of cyber, the security budget is an area of both potential overspend and underspend as C-suites grapple with this expanded set of risks. Here are examples of poorly optimized budgets by many companies:
- Companies only use on average 25 percent of the full utilization capacity across all tools in their security stack, resulting in significant waste and redundancies.
- On average, enterprises have 30 to 70 different security tools and sometimes spend millions of dollars to address a single type of attack. This highlights the need to produce evidence of a specific tool’s contribution to the overall security posture—evidence that supports the standardization of security controls and the divestiture of technologies that no longer add value.
Enter security validation, a relatively new cyber security concept. It has emerged due to increasing pressure from boards and C-suites demanding that collaborative teams of CISOs and CFOs provide hard data around both the effectiveness and ROI of their cyber security spend against prioritized attack types and the overall company risk profile. They also want to verify their companies’ ability to recoup cyber security investments, which involves articulating and measuring value lost in successful attacks and relating that to the ability to improve effectiveness using cyber security technology.
Security rationalization is a pillar of the security validation approach. It is the allocation of corporate resources toward things that verifiably improve security posture, and lower the growing financial risks associated with poor cyber governance. It is fundamentally about measuring the effectiveness of security programs across technology, people and processes, and is enabled by security controls validation.
In a world of constrained budgets, validation and rationalization are critical for companies to optimize security spend, decrease the likelihood of suffering a costly business interruption breach, and lower the downside financial risks associated with digital transformations
Understanding ‘Good’ Versus ‘Poor’ Digital Transformation
An important starting point for the budget conversation is to understand how well or poorly a company is currently managing its security.
It is now possible to assess ‘good’ versus ‘poor’ cyber security in an objective and externally verifiable manner. Intangic, formerly Cyberhedge, uses proprietary data to rate company cyber governance from 5-Star (best) to 1-Star (worst). 1-Star companies have poor cyber, combined with significant financial constraints, which limit their ability to invest in fixing existing cyber problems. Our data indicates these companies have a difficult time getting out of this “bad cyber-poor financials” cycle. Why does that matter? Two reasons:
- They have a significantly increased risk of experiencing a substantial attack such as ransomware, and incurring large financial and market losses as a result.
- The verified ratings serve as an early warning signal for C-suites that vulnerabilities require immediate attention to lower the likelihood of a disruptive and costly attack that creates financial and operational fallout for the company, and any customers that rely upon it.
But companies that deploy Mandiant Security Validation and rationalization are far more likely to avoid 1-Star status and the financial risks that come with it, and this holds true across all industry sectors. Intangic data clearly indicates that companies with a security controls validation approach to cyber through an integrated platform such as Mandiant Security Validation can effectively move from a 1-Star rating to a 2-Star or 3-Star rating (less likely to be breached and suffer significant financial and market losses).
Executing on this approach requires an “inside-out” view plus an “outside-in” view of cyber performance, as well as the financial risks and gains associated with that good, average or poor performance.
- Inside-out view: The view from inside the corporate network to the outside through a security lens—a detailed look at security risks and company tools and controls, a verifiable view of what’s working, what’s not, and what can be fixed to better optimize security spend.
- Outside-in view: The view from outside the corporate network to the inside through a CyFi® (Cyber-Financial) lens. Second-generation data sets derived entirely from externally verifiable data (without inside network view) combines both cyber and operational/financial impact on companies. These are the only known assessments mapped to the maximum and most accurate sample size of breach events.
By employing a security rationalization methodology that leverages the inside-out and outside-in views as part of a larger controls validation approach, a company can improve its cyber and financial performance, lowering the likelihood of a costly business interruption. How do we know? The data shows that Mandiant customers consistently score better on Intangic’s CyFi® (Cyber-Financial) metrics.
Ryan Dodd is the founder and CEO of Intangic.