In May, Gartner predicted that global spending on information security and risk management will grow 12.4% to reach $150.4 billion by the end of 2021. The technology research and consulting company said that cloud security would expand 41.2% in that period, with growth partially driven by the ongoing rise of cloud access security brokers (CASBs). It also estimated that integrated risk management (IRM) technology would experience double-digit growth by the end of the year to meet organizations’ ongoing demand for hybrid work security technologies.
Why Is It Important to Invest in Cybersecurity?
By investing in cybersecurity, organizations can first and foremost help to avoid the growing costs of security incidents. Take data breaches as an example. In its Cost of a Data Breach Report 2021, IBM found that the average total cost of a data breach had increased 10% from $3.86 million in 2020 to $4.24 million in 2021. That’s the highest average cost of a data breach in the report’s history.
Organizations can’t always survive paying these data breach costs, either. Such is the case for small- to mid-sized businesses (SMBs) in particular. Indeed, Cybersecurity Ventures wrote that 60% of SMBs go out of business within six months after experiencing a data breach.
Organizations can also use cybersecurity investments to protect their host nation’s critical infrastructure. This traces back to the convergence of Information Technology (IT) and Operational Technology (OT). Malicious actors can use traditional IT treats to exploit that connection so that they can prey on organizations’ OT assets and industrial control systems (ICS). Depending on the nature of the affected assets, such an attack could disrupt features of ordinary life for the public.
That was the case in early-May when the Colonial Pipeline Company deactivated the systems responsible for running its pipeline operations after suffering an attack at the hands of the DarkSide Ransomware-as-a-Service (RaaS) operation. In the process, the pipeline didn’t carry its daily haul of 100 million gallons of fuel between Houston, Texas and Linden, New Jersey for nearly a week. This caused fuel shortages and panic buying of gasoline in Virginia, North Carolina, Georgia, Florida, South Carolina, and other states, as reported by Forbes.
Third, investments in cybersecurity can help organizations to protect other entities and individual users. That’s especially pertinent in supply chain attacks like SolarWinds. Digital attackers know that thousands of organizations rely on the same software to power their business operations. By infiltrating the systems of software providers and introducing malware into their update process, malicious actors can use that access to enter an untold number of customer networks. They can then conduct follow-up attacks that prey upon those organizations’ environments and/or that target their individual users.
Finally, organizations can use cybersecurity investments to continue to pursue their evolving business objectives. Take digital transformation as an example. Many organizations are pursuing digital transformation initiatives to evolve their business capabilities—especially following the events of 2020. However, cybersecurity can hamper those pursuits. ITSecurityWire noted that some organizations don’t always involve IT security in their digital transformation efforts. CIOs at those organizations said that the resulting misalignment of resources had produced at least one data breach during their digital transformation projects.
Considering these experiences, IT decision makers at other organizations are taking a different approach to digital transformation. CSO wrote that cybersecurity was one of the top concerns for those individuals in their digital transformation efforts. It also specified that cybersecurity was the second biggest investment priority for decision makers at 35% of respondents—just behind the cloud at 37%.
How to Gain Support of Stakeholders for Cybersecurity Investments
When it comes time to ask for budget for cybersecurity investments, IT decision makers need to think about gaining stakeholders’ support. They can’t assume that those individuals will just follow along with whatever they propose. They will want at least some input going forward.
This can be an advantage when developing business cases for proposed cybersecurity investments, according to IBM Security Intelligence. Working with stakeholders can help IT decision makers to ground their business cases in the language of the business. If they couple this with risk quantifications, they can present the cybersecurity investments in terms of a cost-benefit analysis to increase their chances of securing buy-in from the C-suite and the board. Lastly, if they receive approval for their investments, they can continue to work with stakeholders for guiding, evaluating, and modifying their cybersecurity projects accordingly.
Security as a Journey, Not a Destination
Ultimately, cybersecurity needs to be on the agenda all year round because the digital threat landscape is always changing. That’s why it’s important for organizations to regularly review their cybersecurity risk baselines so that they can prioritize their investments. Complete these survey questions to obtain a cybersecurity risk baseline for your organization.