How to Prioritize Cybersecurity Spending: A Risk-Based Strategy for the Highest ROI
As an IT leader, staying on top of the latest cybersecurity developments is essential to keeping your organization safe. But with threats coming from all around — and hackers dreaming up new exploits every day — how do you create proactive, agile cybersecurity strategies? And what cybersecurity approach gives you the most bang for your buck, mitigating your risks and maximizing the value of your cybersecurity investments?
Let’s take a closer look at the trends that are impacting organizations today, including the growing reach of data breaches and the increase in cybersecurity spending, and explore how you can get the most out of your cybersecurity resources, effectively securing your digital assets and maintaining your organization’s integrity in the face of ever-evolving cyber threats.
Successful data breaches
In 2022, the number of people affected by data breaches increased significantly. According to the Identity Theft Resource Center’s 2022 Data Breach Report, more than 1,800 data compromises were reported in 2022 — 60 fewer reports than in the previous year — but the number of people impacted by data breaches jumped by a whopping 40% to 422.1 million.
And data breaches can cause real, long-lasting impacts, as proven by some of the most infamous data breaches in history:
- eBay: Hackers stole login credentials for just a few eBay employees and then pulled off a massive data breach that stole the personal information and passwords of more than 145 million users. Experts believe that the hack had ramifications on users outside of eBay — as people tend to reuse passwords on multiple sites, there’s a good chance that hackers were able to access other online services using the stolen credentials.
- Yahoo: In one of the biggest data breaches in history, Yahoo estimated that hackers had compromised over three billion accounts. Although hackers didn’t get passwords, they did gain access to users’ security question answers, increasing the risk of identity theft. The company ultimately paid $35 million in regulatory fines and had to provide nearly 200 million people with credit monitoring services and other restitution valued at $117.5 million.
- Marriott: Hackers were able to spend nearly four years accessing Mariott’s Starwood system, stealing data from more than 500 million hotel customers. Cybercriminals stole everything from customer names and contact info to passport numbers, travel information, and financial information, including credit and debit card numbers and expiration dates. In addition to the massive blow to its reputation and loss of consumer trust, the company faced steep fines, including a £99 million fine from the UK Information Commissioner’s Office (ICO) for violating British citizens’ privacy rights under the GDPR.
Given the escalating scope and impact of data breaches, it’s clear that CISOs and IT teams have their work cut out to ensure their organization is prepared for anything.
Cyber spending trends
Unsurprisingly, with the growing cybersecurity problem, organizations are spending more money to bolster their cybersecurity resources.
Getting the most from your cybersecurity resources
Clearly, there’s no shortage of cybersecurity threats. So, how can an IT professional ensure they are maximizing the value of cybersecurity resources and getting every ounce of protection from cybersecurity investments? A risk-based approach, where you identify and prioritize your greatest vulnerabilities, and correlate threat exposure to business impact, will help protect organizations and optimize spending decisions.
To adopt a risk-based approach, deploy the following strategies:
- Focus on your external attack surface. Your business’ external attack surface includes all of your company’s accessible digital assets — which present an enticing target for bad actors. You can’t fix a problem if you don’t know it exists; use a proven external attack surface management (EASM) solution to regularly scan and monitor your assets for potential security gaps.
- Prioritize protection of end user credentials. As eBay found, gaining access to just a handful of user credentials can effectively give hackers an open-door invite to your network and data. Ensure you provide employees with regular, ongoing security training to help them become more adept at identifying and appropriately responding to cyber risks. Deploy robust identity and access management protocols across your organization. And use a password auditor to ensure that your employees aren’t using passwords that have already been breached or compromised.
- Prioritize vulnerability remediation across your networks and cloud services. Invest in a risk-based vulnerability management solution that will help you prioritize threats based on the highest risks posted (based on likelihood and exploit availability), rather than wasting time and resources on vulnerabilities that pose little threat.
- Integrate a threat intelligence solution. To proactively adapt your organization’s defenses against emerging threats and attack vectors, you should invest in a threat intelligence solution that provides real-time insights into evolving threats to your organization and industry. By focusing your attention (and spending) on high-impact, likely-to-be-exploited vulnerabilities, you can strategically deploy resources to address your most pressing security concerns.
Prioritize a risk-based approach to boost cybersecurity ROI
Today’s digital landscape requires IT pros to prioritize a risk-based approach to cybersecurity, ensuring that your investments address current and future threats. By strategically deploying your organization’s resources — using robust solutions and focusing on high-impact vulnerabilities — you’ll be taking steps to keep your organization safe, maintain your operational integrity, and boost your cybersecurity ROI.