Generating ROI from cybersecurity
The threat of ransomware, in particular, is alarming boards. Now, then, is the ideal moment for CIOs and CISOs to demonstrate how greater cybersecurity investment – including in automation solutions and trusted third parties – will minimise risk, drive a cyber-aware culture, and enable innovation
Stephen Graham, IT service director, Biffa
Amanda Hamilton, CIO, City and County Healthcare Group
Jonathan Hope, senior technology evangelist, Sophos
Anna-Lisa Miller, group CISO, Spectris
Graham Thomson, CISO, Irwin Mitchell
Derek Winskill, CIO, TT Electronics
What does the cyber threat landscape look like in 2022, and how can CISOs and CIOs become enablers?
JH Ransomware is the most prominent cybersecurity topic at the moment. Sophos’ research shows that while the number of ransomware incidents is dropping, the severity of those cases is increasing. We found 37% of organisations in the UK were hit by ransomware at least once in 2021. Of those attacks, 54% were not just hit by ransomware, but the cybercriminals successfully managed to encrypt their data.
DW The board certainly thinks ransomware is the number-one cyber threat, but there are others. We have a range of customers – from aerospace and defence sectors to medical device innovators – so we need appropriate levels of cybersecurity. However, working at the extreme end of security means we can dial it up as required, and it improves the overall awareness and capability, which assures the board and customers.
AH We have a highly mobilised workforce, so moving to the cloud and having data quickly dragged into a secure environment massively reduces the attack surface. There should be a healthy tension between CISOs and CIOs. The value we provide to our customers – patients – must be weighed up against protecting personal information. The relationship must be strong and the conversation constant. It’s more than agreeing on a framework reviewed every six months. SG Biffa’s cybersecurity is entirely in the cloud, too. It enables us to have a single view of our devices and means we can scale at will. Operating in the cloud makes it easier to have multiple backups of network data, protecting us against ransomware and other threats. But our biggest challenge is the behaviours and abilities of the end-user, so increasing education is critical.
ALM The threat landscape is constantly evolving, so you need to cover as many bases as possible – and that includes thinking holistically about your supply chain. The most crucial thing is to understand why you might be a target, who is most likely to attack you and why. It’s also important to remember, especially with geopolitical tensions, that there is a risk of becoming collateral damage in an unexpected way.
GT The IBM Cost of a Data Breach 2021 report, published in December, showed ransomware is the top threat by operational impact and factored in 7.8% of global breaches last year. For UK businesses, ransomware incidents cost an average of £1.5m. It’s worth noting, though, that the most common breaches are from logins with stolen passwords – 1.5% of all login credentials globally have been compromised, according to Google. But it’s simple to mitigate most of this risk just by activating multi-factor authentications on all online accounts. We have a vested interest in helping our suppliers as well as clients with cyber hygiene.
To better manage the evolving cyber threat landscape, outsourcing and collaborating are critical – how should these partnerships work?
JH The appetite for businesses to move to an outsourced model is increasing because there are so many things to monitor. If you buy security products from different vendors, it can be time-consuming to look across various dashboards. It makes better sense to invest in cybersecurity where it’s all in one place. The return on investment is giving back your people time.
DW I have a global team spanning Asia, Europe and the United States and don’t have enough cybersecurity resources, so outsource things like threat monitoring, security incident and event logging. This approach has driven innovation, as we can leverage the experience of the expert partners. Automation and artificial intelligence tools are essential – we bin 93% of suspicious emails that come into the organisation before they reach the end-user.
GT Some things are better managed in-house, but you will always need professional help. Security automation with AI and machine learning has been shown to reduce breaches and incidents and, if a breach does occur, cut costs by 80%. Also, it takes a third less time to detect and mitigate incidents with automation in place. Additionally, having zero trust architecture can reduce the cost of the breach by 35%.
AH I don’t have AI experts in my team. So I look for fantastic partners who can bring cutting-edge solutions to the table. A hybrid approach leads to an ROI and interest at the board level because of the reputational protection we can provide by spending X instead of Y.
ALM When you’re outsourcing, it’s vital to consider nurturing a partnership, rather than just chucking a load of risk over the fence to somebody else – because you still own that risk. We are all on the same team, we have shared objectives, and anticipate risks and opportunities together.
SG Unless you’ve written your own antivirus software, you’ve always outsourced. It’s just about working out the right balance. We outsource a lot, rely on controls and patching brought to us by third-party organisations, and knowledge and input from governance bodies.
What are the best ways CIOs and CISOs can gain greater support from the C-suite to reduce cyber risk?
SG Biffa is not a bank, so we don’t need the highest levels of cybersecurity. But we are innovative, and we want to shake hands with our suppliers who can improve our operation. By joining the dots between compliance, our suppliers, and the customers, we can show Biffa is more secure than our competitors, which will gain top-level buy-in.
DW Now, when the organisation is choosing a new location for a factory, we send our head of information security, giving the business an extra layer of protection. This business-focused security operation resonates well with executives. It takes a task off their plate and provides insight into how we are thinking, which gradually helps increase security education and awareness.
AH The days when you had ivory tower IT functions that set all the rules in a command-and-control style are gone. Instead, the technology functions within organisations are massive facilitators, both for change and security. I now look to hire people who, yes, have deep technical skills but also possess strong stakeholder management and business analysis skills so that they can be solvers, not blockers.
GT Ultimately, the ROI on cybersecurity is all about cost avoidance. It’s about not having your company reputation trashed because you can’t keep your house secure, and as a law firm, this is particularly important. To prove the business case, you need to measure the right things and make them understandable for decision-makers.
ALM There are interdependencies between strategy, values, and culture, all reinforced by security. When talking to decision-makers, you have to demonstrate a genuine depth of knowledge and understanding of the business and show how the security strategy fits. You won’t have much time with the board or executive, so distil your messages, but this is where the conversation needs to be.
JH Persuading the board to spend money on security will be a challenge, but everyone now understands the importance of cybersecurity. Using automation technology to free up resources and reduce risk will provide an ROI. As a classic fallback option, if all else fails, you could paint an alternative picture showing the risk of not having adequate cybersecurity and suffering irreparable damage.
For more information, visit sophos.com/en-us