CISOs face a 38% increase in cybersecurity costs over the next decade thanks to poor decision-making over where to target key investments, according to non-profit think tank RAND Corporation.
The global policy maker conducted in-depth interviews with CISOs in enterprises with $100m+ in revenue across North America, Europe and APAC, in order to produce its 130-page report, The Defender’s Dilemma: Charting a Course Toward Cybersecurity.
It warned that the threat landscape moves so fast, the effectiveness of security tools can drop as much as 65% over a decade. It advised that the less sexy areas of cybersecurity – security management, automation and policy enforcement – should be focused on for maximum longer-term RoI.
The internet of things could also be a major drain on resources if security controls aren’t properly applied – with losses rising as much as 30% over a 10-year period.
Costs could be reduced by investing in the people side of the business – with new security hires and advanced training for employees. This could reduce the cost of managing associated risk by 19% in the first year and as much as 28% by the tenth, the report claimed.
Addressing software vulnerabilities effectively would also be a major win for CISOs. Reducing flaws by half could lead to an overall reduction in cybersecurity costs of 25%, said RAND.
“What’s clear is that in order for organizations to turn the tables on attackers, they need to orient their thinking and investments toward managing risks in addition to threats,” argued Steve Jacques, consulting engineer at Juniper Networks, which sponsored the research.
Trey Ford, global security strategist at Rapid7, added that the cybersecurity industry is still maturing.
“CISOs hold an incredibly challenging post, as the title is roughly just 17 years old, and the lessons learned by those in this office are shrouded… due to external and internal NDAs and shareholder concerns,” he argued.
“CISOs are still grasping at how best to report security program performance to the board, and it comes as no surprise that corporate executives are managing the public perception of security and data safety.”
The report’s findings also chime somewhat with those of the PwC Information Security Breaches Survey, launched at Infosecurity Europe 2015 last week.
That found an approximate 10% increase over the last year in the number of UK organizations that have suffered a breach, and an increase in breach costs at the high end for large firms – up from £1.15m to £3.1m.