The price of failure: How budget impacts cyber risk

By Andrew Douthwaite VP Managed Services, VirtualArmour

Historically speaking, the financial ramifications of cyber attacks have been diabolically tricky to pin down. However, due in part to the pronounced spike in cyber attacks over the last few years – a disturbing rise that shows no signs of flagging – both the short and long-term costs are gradually coming into focus. A 2017 study by Centrify and Ponemon pegged the average cost of a data breach at $4 million, the average drop in stock value at 5%, and the average revenue decline at $3.4 million. This is to say little of lawsuits, fines and sanctions, federal investigations, the lasting embarrassment of looking weak and ill prepared, the erosion of consumer trust and employee morale, and – last but not least – of a sullied reputation and brand.

As with the multifaceted threat itself, the regulatory landscape is in a constant state of flux. Further, new platforms and devices are frequently entering the market, introducing new potential ports of entry for perpetrators. Long story short, it can prove extremely difficult to stay up to date with the ever-multiplying vulnerabilities, from shifts and overlaps in oversight, to changing laws and legislation, the various ways in which physical and digital security systems interact, much less essential updates and upgrades to software and hardware. Implementing and maintaining a robust, up-to-date cyber-security system can be a complex, all-consuming task.

While cyber security was traditionally relegated to the IT silo, given the potential consequences of a poorly conceived, implemented, and managed system, there has been increased pressure on C-suite managers to get more engaged with this aspect of their business. And cyber-security is certainly being taken more seriously, at least on the surface. Many C-suite managers have declared cyber-security a, if not the, chief concern, with spending expected to exceed $1T over the next four years. That sounds like a lot, until you dig a little deeper. First, $1T represents a miserly 1% of revenue per year. Second, damages related to cyber-attacks are predicted to soar to $6T per annum over the same period. Damages, in other words, are on track to outstrip costs by a factor of 24:1.

Given the potential financial repercussions of cyber-attacks, not to mention the sensitive and/or proprietary nature of the assets that are typically targeted, vigilance and preparation are particularly pressing when it comes to the CFO. On one hand, CFOs often work directly with the material that may be most enticing to hackers. As such, it falls to them to know the value that these assets might have to thieves, and ensure they’re properly secured. On the other, the CFO must also ensure that budgeting for cyber-security accurately reflects the risk. As the financial fallout from cyber-attacks has escalated, prestige publications from Harvard Business Review to Forbes have run articles advocating for greater CFO engagement with cyber-security issues moving forward. “Cyber-security is typically in the top five risks of a corporation, and a key aspect of a CFO’s role is to help manage that risk,” says Steffan Tomlinson, CFO of Palo Alto networks, before promoting “a prevention-first mindset.”

Front-end investment in prevention (from analytics and anticipation, to scenario rehearsals), and back-end expenditures on threat management and mitigation (disclosure and communication with employees and customers), pay huge dividends. But though they’re clearly cost-effective over the long run, robust preventative security systems don’t necessarily come cheap. The key question, from a budget perspective, is how can a given business allocate and spend money on cyber-security in the smartest way possible?

As noted, the average cyber-security budget, at 1% of revenue, is already severely underfunded. Making matters worse, businesses are either keeping spending flat, or even cutting their already paltry cyber-security budgets, sometimes upwards of 10%. This could be perceived a course correction after decades of IT spending increases across most sectors – as information technology and devices have become the center of gravity around which our daily lives orbit, so to have our digital ecosystems grown increasingly pricey to protect. However, just because IT constitutes an already exorbitant line item doesn’t mean that there’s ample money being spent on security.

While it may sound heretical to suggest, the number one task of a responsible CFO – ideally working in tandem with IT teams and specialists to devise and propose the best possible plan – is to push boards to increase cyber-security spending, while simultaneously seeking out creative ways to maximize coverage. To this end, a comprehensive appraisal of the differences between addressing cyber-security internally, versus outsourcing to third-party firms, is essential.

Some issues worth considering here are the cost of purchasing hardware and software, salaries and training, and maintenance and monitoring. While relying on an in-house IT division has obvious allures, the omnipresence of cyber-security threats can place an undue burden on already overtaxed and underfunded teams. As such, recruitment and retention of qualified IT staff has been an ongoing issue for many companies, with demand often outstripping supply.

Other businesses are choosing to outsource cyber-security to Managed Services Providers offering customized security packages tailored to the unique needs of different organizations. Some of the advantages of hiring MSPs – guaranteed response times, and 24-7 security oversight (such as monitoring systems for anomalous behavior) – are above and beyond what a typical in-house IT division can reasonably offer.

Whatever option one runs with, it must be acknowledged that cyber-security is in no way an IT issue exclusively. Much of the fallout resulting from a breach – company-wide coordination and media messaging, for example – falls outside the purview of an IT team. To this end, it is crucial that cyber-security be made a company-wide concern, and that managers on every rung participate in fostering a culture of security that encourages and supports collaboration between all employees.

The crucial question, particularly where the CFO is concerned, is to adequately fund security and maximize coverage, while simultaneously accounting for cost. There are pros and cons to maintaining a fortified stable of in-house IT specialists versus outsourcing options, such as third-party MSPs. But whichever security route a company decides to take, the most forward-thinking technical managers and CFOs are already booted up and prepared for the trek. Are you?