When things go wrong with computer systems and networks, whether due to ordinary mishaps or malicious actors, the organizations that rely on those systems and networks are put at risk. They may suffer direct financial losses, reputational damage or both, with effects ranging from inconvenience to total loss and liquidation of the enterprise.

Understanding these hazards and their consequences is what risk analysis is all about. It may seem obvious, but too many organizations — and even security professionals — have lost sight of the importance of risk management. They are often so focused on efforts to describe security expenditures in terms of return on investment (ROI) that they fail to adequately account for risks. Security ROI computations tend to be meaningless without the proper context of a risk analysis.

The Challenges of Risk Analysis

In most cases, according to Errata Security, organizations “don’t have a sophisticated enough risk matrix in order to plug in some ROI numbers to reduce cost/risk.” Instead, the risk assessment numbers on which an ROI computation is supposedly based are often generated by outside vendors or security engineers with little basis in reality.

This challenge is particularly great because security risks are moving targets driven by malicious actors. In industries such as energy and utilities, risk analysis is relatively straightforward because the threats come almost entirely from accidental mishaps. These risks can be assessed and computed based on engineering experience.

In contrast, security risks depend on technological considerations, such as potential points of vulnerability, as well as the “whims and fads of the hacker community,” according to Errata Security. Because the technology is rapidly evolving and the ecosystem is deeply layered, risk assessment needs to consider not only vulnerabilities that exist now, but also new ones that may develop in the future.

The Architecture of Security

For these interrelated reasons, trying to encapsulate security spending needs in terms of ROI is an artificial exercise. The presentation may sound crisp and businesslike, but it is so full of hidden asterisks that it is essentially meaningless.

So what should guide security professionals and business leaders to help them determine the right level of spending on cybersecurity? Errata recommended thinking about security engineering as analogous to architecture — not computer architecture, but the concrete and steel kind. When designers plan a building, they know they will need to provide a certain number of bathrooms to accommodate the building’s users, a calculation that requires no ROI computation.

Security is not an obscure mystery. We know the basic things we need to do to protect our systems and networks against cyberthreats, and we know how to mitigate the effects of damaging attacks. We need to take action, not seek assurance from fanciful ROI computations.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

More from Risk Management

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…