Risk Management
July 31, 2023 By Doug Bonderud 4 min read

Attack volumes are up, and attackers are finding new ways to compromise corporate security. According to the HackerOne 6th Annual Hacker-Powered Security Report, ethical hackers found 65,000 vulnerabilities in 2022. What’s more, 92% of hackers said they could pinpoint weaknesses that scanning tools missed, making reliance on detection technology alone a dangerous prospect.

At the same time, the costs of a data breach are up. As noted by the IBM 2022 Cost of a Data Breach Report, the average cost of a data breach hit $4.35 million in 2022, up 2.6% from 2021 and 12.7% from 2020. In addition, just 17% of companies said it was their first data breach.

For chief financial officers (CFOs), the increasing impact of data breaches creates a paradox: While more spending is necessary to combat these challenges, this spending isn’t directly tied to profit. Instead, cybersecurity spending is all about return on investment.

Here’s what CFOs need to know about spending to save on security.

Accruing interest? The evolving impact of a data breach

The total cost of a data breach is measured in more than dollars and cents.

Consider a recent piece from The Washington Post, which notes that credit rating agencies are starting to factor in cybersecurity as part of business credit assessments. In other words, poor cybersecurity practices that result in breaches could lead to lower credit scores and impact the ability of a business to secure loans or other funding.

Or look at data from the IBM report, which found that 60% of organizations increased their prices as a result of a data breach. It makes sense: Higher prices could help offset the increased spending that occurs during and after a data breach. Increase prices too much, however, and consumer interest may drop.

Speaking of consumers, they’re less willing to share personal data with companies that suffer data breaches. In fact, 40% of consumers said they “always or often” stopped doing business with companies that couldn’t protect their personal data.

Compliance is also a critical concern. If companies can’t demonstrate due diligence in addressing security threats with effective policies and practices, they may be on the hook for monetary fines or operational penalties.

Understanding and implementing the protective pair model

For CFOs, avoiding the costs of a data breach — from initial spending to compromised credit ratings and falling consumer trust — means spending on security technologies. For these technologies to be effective, however, they must target specific concerns.

This is the core of the protective pair model: pinpointing specific threat(s) and matching them with solution(s) that effectively mitigate the impact. Here are a few examples.

Social Engineering Attacks

Pair with: Zero trust and the principle of least privilege

Social engineering attacks leverage human nature to help hackers compromise key systems. These attacks often combine social reconnaissance with email and website spoofing to convince staff members they should click on links or provide login and password information.

Spending on solutions such as zero trust can help companies avoid this social sting. This could be as simple as implementing two-factor authentication (2FA) solutions that prevent attackers from compromising systems even if they obtain user login data, or the use of behavior-based analysis to determine if users may not be who they say they are.

Zero-Day Threats

Pair with: Artificial intelligence and automation

AI and automation can help limit the impact of hacker efforts to uncover new vulnerabilities. Instead of relying on standard metrics and measurements to assess potential risk, AI tools are capable of learning over time to uncover vulnerabilities that traditional scanners may miss. Automation, meanwhile, reduces the time required to address and remediate these issues.

As noted by the Cost of a Data Breach report, companies using AI and automation saved $3.05 million during a data breach compared to those without these tools and also shortened their breach identification and containment times by 2.5 months.

Increasing Data Breach Costs

Pair with: Hybrid cloud

While 45% of all data breaches happened in the cloud, those in hybrid clouds were less expensive than their public and private counterparts. Consider that in private clouds, the average cost of a data breach was $4.24 million, and in public clouds, this cost rose to $5.02 million. In hybrid clouds, meanwhile, the average cost was just $3.80 million.

Four steps to spending success

A four-step approach can help CFOs find the right security solutions for their companies, and help cyber spending drive sustainable returns.

1. Find Your Weak Spots

First, CFOs need to coordinate with security professionals to pinpoint high-priority weak points. For example, if IT teams discover that the current network infrastructure relies on vulnerable open-source software, spending should target this risk.

2. Understand the Impact

Next, CFOs should understand the scope of impact tied to a successful breach. This can include monetary costs for detection and remediation along with spending to shore up customer confidence, such as paying for credit monitoring or other services that help regain lost trust.

3. Pick the Right Pair

Equipped with priorities and impact assessments, CFOs need to pick the right tools for the job. By targeting a specific security concern, finance officers can make the most of corporate spending and set the stage for further investment.

4. Give Security a Seat at the Table

Finally, CFOs need to advocate for their cybersecurity counterparts to get a seat at the boardroom table. Not only does this make it easier for C-suite members to understand the scope of security issues, but in some cases is a regulatory requirement.

For example, under New York State Department of Financial Services regulation 23 NYCRR 500, financial services firms with more than 10 employees and $5 million in gross annual revenue must employ a chief information security officer (CISO) or face potential penalties for non-compliance.

Hey, big spender

Given the evolving impact of data breaches on company finances, consumer trust and corporate compliance, increased security spending is a necessity for CFOs.

With the right approach to tools and technologies, however, finance officers can help their organizations save time, money and effort. In other words, cybersecurity spending isn’t simply a single cost: it’s an investment in ongoing success.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Doug Bonderud
Writer

More from Risk Management
November 20, 2023

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

November 14, 2023

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

October 27, 2023

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature