Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident. This investment in reducing a probability is problematic.
The ideal is always that no cyber incidents, where a threat succeeds on having an impact on a organisation, occur however as we project off into the future the likelihood of an incident can only increase in line with the unpredictability of future events. Entropy is clearly at play.
In the worst-case scenario, an incident happens and there is an impact on the organisation. In this case we know that our current solutions and the related investment have been insufficient. I note this is not to say that we need to spend more following an incident, although I suspect this will be the trend, more that what has been spent has not delivered the outcomes we wish and helped in preventing a incident. It may be that we need to spend on different things going forward, but the expenditure to date has been ineffective.
The issue with all of this is that our current setup is fine until it isn’t. We can be happy with our current investment until it is revealed that it is ineffective by an incident, but we don’t want this to occur. How do we therefore decide on an investment which is appropriate to the organisation, without waiting for incidents to prove what we have is ineffective? And at the same time how can we avoid spending excessive amounts on cyber security, which would therefore be drawing funds away from the organisations core business, assuming the core business isnt cyber security itself?
I have always believed in taking a risk-based view. We need to first identify the risks which we believe exist, the likelihood they will occur and the impact they would have on the organisation should they happen. From this we can start to consider the amount of investment we might apply to mitigate measures, to cyber security, in relation to the risk. So, a risk with a potential impact of £500,000 which is considered low likelihood might merit a £10,000 investment annually but is unlikely to merit £400,000. If the risk impacts a business-critical system, it might merit more investment than a risk impacting on a low business value system.
The above isnt a science sadly; There is no magic Return on Investment (ROI) formula. It is all based on subjective judgements hopefully based on experience and hopefully backed up by a third party to provide some level of assurance. It also isnt easy. Whatever amount you invest there will always be a probability that in the future it will be proven to have been ineffective by a single breach. Those overseeing the cyber security must get it right all the time while the cyber criminals only need to get it right once. This is why I continue to believe in a “healthy paranoia”.
We need to be concerned, to be paranoid, and to be constantly reviewing the risks, our organisation, the available technologies and threat trends. We also need to be concious that we cannot know the future with any certainty and can only predict based on what we know now. We need to communicate the decision-making processes and ensure these are understood. In the future our decisions from today may be proved to be wrong; That’s always easy to do in hindsight but at the moment of decision making and with the information available, a decision which seemed appropriate at the time was made. We need to balance our paranoia in the interest of our sanity and wellbeing. We need to accept that we won’t always get it right!
Return on investment on cyber security spends, in my view, will always be difficult. If all goes well then everything runs smoothly and no cyber incident occurs but this doesn’t prove your investment. The future incident may have been brilliantly prevented or more likely it just hasn’t happened yet. Sadly, the only definitive proof is when things go wrong, when an incident proves that your spend on cyber security was ineffective. This is the kind of proof you just don’t want to see.
So, for now I will continue with the difficult decision process in relation to cyber security investment. That fine balance between cyber security and business operations/cost.
Technology and Learning