Security is now a topic on many board meeting agendas. Board members need to understand what threats they face, if they are prepared to stop them, and what additional security investments they need to make to better protect themselves from compromised brand integrity, instances of sensitive data loss, or potential threats. In 2015, in response to cyber risks, respondents to PwC’s Global State of Information Security Survey for 2016 boosted their information security budgets by 24 percent. It is safe to assume that this funding was allocated only after a compelling case was made and a CISO or CIO was able to demonstrate a return on investment.
Increasingly, one of these areas of investment is cyber situational awareness. Struck by the realization that they can no longer rely on traditional security defenses to stop bad actors, many organizations are looking for ways to understand which threats lurk outside of their perimeter. Cyber situational awareness provides the ability to achieve an ‘attacker’s eye view’ of their organization to prevent, detect and contain cyber-related incidents.
There are many products that organizations can turn to in this pursuit: research tools, threat intelligence, social media monitoring, data loss, and dark web monitoring. But demonstrating ROI can be problematic. After all, how can you assign a cost to an incident that never happened? What’s more, costs and returns will differ depending on whether you’re looking at brand protection, data leakage, or cyber threats. But there is a way to go about this. You just need to consider the type of incident.
Brand protection. Monitoring for brand misuse and reputational damage is far from a “nice to have” and has clear financial ramifications – both opportunity costs and real gains. Online mentions or false representations can compromise a brand and negatively impact a potential deal. For example, as discussed in my previous column, when information about a pending merger or acquisition is leaked, the details of the transaction can dramatically change. But also consider the case of a luxury goods retailer whose brand is compromised by online sales of replica products. Cyber situational awareness can help them to provide law enforcement with the insights they need to identify the perpetrator and seize assets, allowing for the courts to award restitution to the retailer. For high-value retailers this can be tens of thousands of dollars.
Data leakage. Monitoring for data leakage can similarly have implications, costs and returns for organizations. Sensitive information leaked online can provide competitors with a commercial advantage. Identifying where data is leaking out and who is looking to exploit this information is particularly valuable. Cyber situational awareness can also help banks to detect when credit card information is being sold on underground forums, launch investigations to find the root cause and freeze the associated accounts and, ultimately, save money lost to fraud. For that matter, any organization can save millions of dollars in data breach costs with visibility into malicious use of its data by monitoring activity across paste and dark web sites. And in the European Union (EU) where European organizations subject to the recent EU General Data Protection Regulation (GDPR) can now face fines of up to 4 percent of global revenue for non-compliance, increased context and insight can help them better mitigate the effects and inform authorities more quickly.
Cyber threats. Finally, detailed information about cyber threats – how they operate and who they target – can save organizations large amounts of money. Think about the wave of recent ransomware attacks. With greater context and insight, organizations that fall prey to such extortion can better understand a threat actor’s tactics, techniques and procedures (TTPs). Based on that information they can determine if they have the right defenses in place and could decide not to pay the ransom. Cyber situational awareness can also allow online retailers take steps to avoid their websites from being taken down by groups targeting retail outlets, as happened over Valentine’s Day. And it can also help organizations monitor for typosquatted domains and determine if attackers are using a domain name similar to theirs to launch attacks and compromise their business.
Each of these examples describes tactical, short-term threat intelligence that can deliver returns. But there is also a strategic element to consider with any investment. If the intelligence helps to create measurable change in an organization’s improved security posture, based on its digital profile and the profile of its attackers, then it has a clear and sustained value. With cyber situational awareness, security professionals can prioritize threat protection and policies based on how the threat environment is evolving and, crucially, how that relates to the organization’s strengths and weaknesses.
As the discussion of cyber security gets elevated to the board room, the need to justify investments will only become more important. By understanding the different types of incidents and the different returns, you can make a strong case for greater cyber situational awareness in the short- and long-term.