Why Cybersecurity Investments Come Too Late

Companies are still locking the stable door after the horse has been hacked. Danny Bradbury asks why

Humankind can do amazing things quickly when motivated by exciting gains (the moon landing and the internet spring to mind). Looming dangers are seemingly less of an incentive for us. That’s why, even though heart disease is a leading cause of death in the UK, nearly two-thirds are overweight, and one in eight still smokes. It’s why global greenhouse gas emissions continue to rise even as temperatures soar.

Cybersecurity is another thing that we tend to ignore until we learn the hard way. Anecdotal and quantitative evidence suggests that we’re still under-investing in this area, even though the risks are increasingly evident. In fact, it’s still often a ‘grudge purchase’ made after a successful cyber attack has damaged a company, rather than before.

“When it comes to cybersecurity, an ounce of prevention is worth many tons of cure,” says Joseph Steinberg, senior policy analyst at the Global Foundation for Cyber Studies and Research, who also lectures on cybersecurity at Columbia University. “Many times, people won’t spend the money on the ounce, so they end up spending on the tons.”

Statistics bear this out. While the market for shiny smartphones now flirts with saturation, there’s still a long way to go before we’ve spent enough on solutions to protect these and other devices. In 2022, McKinsey estimated that the market penetration for cybersecurity solutions had barely reached 10% of its potential.

“When it comes to cybersecurity, an ounce of prevention is worth many tons of cure” Joseph Steinberg

Companies are still increasing their investments in cybersecurity, but that increase has been modest overall, especially during uncertain economic times. IANS Research found a muted 6% increase in cybersecurity budgets among 550 CISOs in 2023, down from the previous year’s 17%.

To their credit, most companies (90%) increased their budgets proactively, either as a standard annual change (20%) or for other reasons, such as a change in risk appetite, a merger, or a digital transformation project. All these drivers show managers trying to get ahead of attackers before disaster hits. Only 2% of companies forked over extra cybersecurity budget in direct response to a cybersecurity incident.

With that said, some of the largest budget increases were a grudge response to other factors. On average, cybersecurity investments grew 18% when the increase stemmed from a cybersecurity incident. Major industry disruptions, such as a highly publicised breach at another company in the same sector, prompted the biggest average investment increase, at 27%. The latter isn’t exactly a reactive investment, but a sign that companies take action when disaster strikes, especially close to home.

Risk is also growing faster than security budgets, warns Steinberg. Threat volumes are rising, and new attack groups are appearing every year.

The psychology of reactive cybersecurity

Why do some companies focus on knee-jerk reactions after the event rather than measured, proactive investments? Several cognitive biases (common flawed thinking that drives irrational decisions) are in play.

One of these flaws is the normalcy bias, which is the refusal to plan for a disaster that has never happened to us before. We tend to focus on clear and present threats that we can see happening (we’re not going to make our sales quota this quarter, or our competitor just came out with a better product than ours) versus those that are only a possibility (there might be a flood someday, or someone might hack us).

Chris Dimitriadis, ISACA’s chief global strategy officer, warns that our inability to evaluate cybersecurity risk exacerbates the problem.

“Too often, threat modelling was considered impractical because it speculated on a scenario not fully understood or believed by management”Chris Dimitriadis 

“Too often, threat modelling was considered impractical because it speculated on a scenario not fully understood or believed by management,” he says. “Additionally, there was a reliance on insurance contracts to cover damages as the sole control.”

Insurance is a robust defence against cybersecurity incidents, but it complements rather than replaces preventative cyber-hygiene. In fact, insurers continue to demand effective cybersecurity practices as a prerequisite to shouldering cybersecurity risk. That said, “False information from generalist brokers have made businesses believe, wrongly, that a ridiculous level of cybersecurity is required to secure a policy. That’s just not the case,” says Henry Green, founder and CEO at Assured.

There’s a direct correlation between cybersecurity investment and cyber insurance coverage. A joint survey between ACA Group and the National Society of Compliance Professionals found that while fewer than 20% of companies have no cyber insurance coverage overall, that figure increases to 46% of companies with a cybersecurity budget under $10,000.

Steinberg warns that reactive thinking like this tends to self-propagate because it affects how you design your business and the systems it relies upon. Instead of focusing on security by design, you focus on shorter project deadlines, failing to bring in security teams until later in the project.

“If you’re brought in late, you’re in a reactive mode. You’re not proactively planning to do things in the ideal fashion,” he says, adding that this is by design. “They don’t want the security people to tell them no. They’d rather do it and then have the security people not be able to shut down a production system.”

The importance of cyber insurance before the horse is hacked cannot be underestimated. But Assured’s Green points out that unless your Board or CFO have experienced a cyber incident personally, the concept of loss and risk may remain intangible to them. “A house burning down is tangible, the idea of a cyber attack is not, and many believe that they will be able to turn their tech stack off and on again, or that email being down for a few days won’t cause huge problems. They don’t recognise just how connected businesses are and the gargantuan cost of potential loss. A board member who has been through an incident will have an oversized opinion in favour of cyber insurance purchase, though.”

Once a businesses invests in cyber insurance, it’s unlikely they subsequently withdraw that line of defense, adds Green. “The first decision to buy is always the big one. The first time you invest in that additional bottom line cost is going to be tricky when the immediate return on investment is unclear. The concept of paying for something you hope to never use is a tricky one.”

The path to proactive cybersecurity

So, how do we right the ship and reset our priorities? As with most other underestimated risks, motivating people to action involves a mixture of the carrot and the stick.

Let’s first examine the stick, which tends to be regulatory. Regulators on both sides of the Atlantic are taking cybersecurity seriously. Europe’s GDPR is a case in point, as are the various state-level security and privacy laws in the U.S., along with increased regulatory action by the SEC and the FTC.

“Organisations like banks and government do take the regulations seriously,” says Susan Morrow, head of R&D at Avoco Identity, which offers a suite of APIs for programming identity-based solutions. “Having spent two years with a bank implementing an identity solution, I can attest to this. Governments too are under the cosh to ensure they meet regulations.” However, she adds that small-to-medium enterprises can find those regulations and standards onerous and costly.

Where’s the carrot when it comes to prioritising cybersecurity investment? This discipline has always been a cost centre rather than a revenue generator. The answer might lie in another kind of capital that can indirectly lead to revenue: reputation.

In cybersecurity, this manifests as ‘digital trust’. According to ISACA’s State of Digital Trust 2024 report, 83% of businesses believe this will become more important over the next five years.

Customers are the drivers here, Morrow explains. “As consumers have become increasingly aware and suffer from cyber attacks because of [companies’] poor security measures, proactive consumer choice has helped shift the dial,” she explains. “If customers and consumers have choices in who they do business with, they will move if they think they are at risk of harm. It will be the loss of custom that truly focuses efforts on robust cybersecurity strategies.”

The need for trust extends beyond business-to-consumer organisations into the B2B world. “End-customer organisations are increasingly incentivising cybersecurity in their Requests for Proposals (RFPs),” says Dimitriadis. The focus on supply chain security, where businesses are increasingly encouraged to focus on their suppliers’ security measures, will exacerbate this.

Companies must show their work to gain that trust, adds Dimitriadis. “79% of the people surveyed recognise that transparency will enable a competitive advantage for an organisation to be more open about its commitment to digital trust,” he explains.

IANS Research found a muted 6% increase in cybersecurity budgets among 550 CISOs in 2023

Investing in cybersecurity before disaster hits is sensible, but organisations must know where to put those dollars for maximum effect. The key lies in linking cybersecurity to business objectives in a scientific way, Dimitriadis adds. A risk-based approach will help identify those systems and processes that would affect the business most if they suffered from cybersecurity issues.

Board involvement is still critical in driving these cybersecurity investment decisions, but Steinberg warns that we still need to build board-level teams with the appropriate expertise.

“I think boards are getting better, but we’re not there yet,” he says, adding that boards often look at the wrong cybersecurity statistics with a misguided focus on operations rather than strategy. “At a board level, the problem is that, because this is still relatively new, I see a lot of wrong metrics used that sound really good, but they’re meaningless.” One example he gives is the focus on the number of data breaches an organisation has suffered rather than the impact of each breach.

One eye on the future

As companies grapple with these issues, the pace of technology development is speeding up. This requires an even more intensive focus on proactive security than ever before. Steinberg gives AI (something already here) and quantum supremacy (something still a few years away) as examples here. There are already several frameworks from the likes of Google and the U.S. government for the secure development and use of AI. NIST has also released its first three finalised standards for quantum-proof encryption. The question is, how many companies are taking steps to audit current encryption in their organisations and creating risk-based plans for re-encryption?

Becoming more proactive means convincing management that the invisible benefits (we didn’t get hacked) are important while highlighting the more visible benefits (our customers love us because we’re secure). For many long-suffering senior security staff, that will take a heady mixture of technical know-how and persuasive skill.