/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsMUMBAI, INDIA: CISOs beware!!!
A new survey commissioned by Juniper Networks and Rand, a nonprofit institution that helps improve policy and decision-making through research and analysis, has revealed startling gaps between investments in cyber security and the actual RoI.
Findings of the survey:
Many security tools have a half-life and lose value: Attackers are constantly developing counter measures to new detection systems such as sand boxing or antivirus technologies.
This dynamic drives up the amount companies must spend on security technologies to maintain the same level of protection. Rand’s model projects that over 10 years the effectiveness of these technologies that face counter measures falls by 65 percent. Companies must carefully evaluate the new tools they invest in, choosing those not prone to counter measures, and focus on improving security management, automation and policy enforcement across the corporate network.
The Internet of Things (IoT) is at crossroads: According to Rand, IoT will have an impact on overall security costs; however, it’s unclear if it will be positive or negative.
If security technologies and management are properly applied to IoT, companies could actually see savings in the long run. On the other hand, if companies struggle to apply security controls effectively, IoT would increase the losses due to 30 percent more cyber attacks over the next 10 years.
Investing in the workforce leads to fewer costs over time: Companies can benefit greatly in making people-centric security investments, such as technologies automate security management and processes, advanced security training for employees, and hiring additional security staff.
According to Rand, organizations with very high levels of security diligence are able to curb the costs of managing security risk by 19 percent in the first year and 28 percent by the tenth year when compared to organizations with very low diligence.
There is no one-size-fits-all: Companies are likely not taking the optimal economic strategy with their investments, which should vary greatly from organization to organization based on their size, type of information and the diligence of security staff.
Specifically, Rand found small to medium-sized businesses benefit most from basic tools and policies, while large organizations and high-value targets require investments in a full range of policies and tools given the likelihood that they will be targeted by an advanced attack.
Eliminating software vulnerabilities leads to major cost reductions: According to Rand, one of the most significant security issues that increases the cost to businesses is the number of vulnerabilities in the software and applications being used.
It found that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cyber security to companies would decrease by 25 percent.
What the report indicates?
The report indicated that though many companies are spending increasing amounts on cyber security tools, they are not confident the investments are actually securing their IT architecture.
It observed that chief information security officers (CISOs) often face a chaotic and confusing landscape when deciding the most efficient and cost-effective way to manage the risks.
What should the CISOs do?
CISOs need a way to better understand the variables that most influence the cost of managing cyber security risk holistically and the different decisions they can make to protect their organizations.
To address this need, Rand developed a heuristic economic model that for the first time maps the major factors and decisions that influence the cost of cyber risk to organizations. In support, Juniper Networks is releasing an interactive economic model, a new tool that provides businesses with general guidance on where they should invest their time and resources and measures they can take to control costs.