Many companies are spending increasing amounts on cybersecurity tools, but are not confident that these investments are making their infrastructure secure, according to a report from Juniper Networks and RAND.
CISOs need a way to better understand the variables that most influence the cost of managing cybersecurity risk holistically and the different decisions they can make to protect their organizations.
To address this need, RAND developed a heuristic economic model that for the first time maps the major factors and decisions that influence the cost of cyber-risk to organizations.
With RAND’s model projecting the cost to businesses in managing cybersecurity risk set to increase 38% over the next 10 years, Juniper believes that the time is now for organizations to start managing security spending and risk management as a discrete business function.
Juniper Networks believes there are five major factors confirmed by RAND’s model that companies should strongly consider as they evolve their security postures.
First, many security tools have a half-life and lose value. Attackers are constantly developing countermeasures to new detection systems such as sandboxing or anti-virus technologies. RAND’s model projects that over 10 years the effectiveness of these technologies that face countermeasures falls by 65%.
Second, the Internet of Things (IoT) is at a crossroads. RAND’s model suggests that the introduction of IoT would increase the losses that companies experience due to cyberattacks by 30% over the course of 10 years.
Third, investing in the workforce leads to fewer costs over time. Organizations with very high levels of security diligence are able to curb the costs of managing security risk by 19% in the first year and 28% by the tenth year when compared to organizations with very low diligence.
Fourth, there is no one-size-fits-all. Small to medium-sized businesses benefit most from basic tools and policies, while large organizations and high-value targets require investments in a full range of policies and tools.
And fifth, eliminating software vulnerabilities leads to major cost reductions. RAND’s model found that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cybersecurity to companies would decrease by 25%.