Investments in Cybersecurity – Trends and Tips

Whether to follow legal regulations, to prevent damage, to increase the efficiency of processes or even to create new potential – companies are investing in IT security and doing this increasingly more. A study from 2019 by Bitkom Research and Tata Consulting Services confirms that a significant proportion of all companies also want to expand their investments in IT security in the near future. According to the Eco-IT Security Survey 2022, 54 percent of the German companies they surveyed (145 experts from the IT security industry were interviewed) increased spending on IT security last year (source: it-business.de). In addition, the Federal Criminal Police Office of Germany (BKA) has recorded a new peak in cybercrime activities in Germany in their Federal Situation Cybercrime Report 2021. Such a trend is not only evident in Germany, but also worldwide. In Australia, for example, attempted attacks reached an all-time high in the fourth quarter of 2021, increasing by 13 percent compared to 2020-21. Such an increase in attacks is not cheap: According to RiskIQ’s 2021 Evil Internet Minute Report, cybercrime costs organizations $1.79m every minute! That corresponds to 648 cyber threats per minute.

Expenses are rising, but at the same time the threats and the costs are also increasing. How can this tense security situation be turned to our advantage? How should someone approach the idea of investing in IT security? This CyberCompare article is intended to provide a little inspiration in this direction.

Investments in Cybersecurity - Trends and Tips by CyberCompare
Investments in Cybersecurity – Trends and Tips by CyberCompare

Calculation of profitability

From an economic perspective, IT protection measures can be used to reduce the risk associated with the use of IT systems. An optimal cost-benefit ratio can be determined – using various methods, all of which have their advantages and disadvantages.

The TCO method (Total Cost of Ownership) corresponds to classic cost accounting, in which investment costs consisting of procurement and installation costs as well as operating costs are taken into account. Comparability is thus ensured, and the costs are transparently broken down. However, possible risks are not considered, and only static values are used. In comparison, RoSI (Return on Security Investment) not only compares costs and revenues, but also includes a monetarized risk assessment (amount of damage x probability of occurrence). The advantage is at the same time a disadvantage. Although the security risks are evaluated, the evaluation itself often proves to be difficult. A method that is not specifically applied to IT security and is used in the federal administration is WiBe (economic efficiency analysis), a combination of net present value calculation and utility value analysis. The procedure is clear and future oriented. However, it requires more effort and is currently focused on public authorities. Another procedure is QUANTSEC (Quantifying Security), a hierarchical procedure model for objective, continuous and automation-oriented measurement of the benefits of IT security measures. A focus is placed on software development and analysis is performed downstream. In addition, the procedure is quite complex. The advantages are the high level of objectivity and transparency and the awareness of issues that goes hand in hand with this.

To use the investments efficiently, not only should the advantages and disadvantages of various processes be assessed, but two other aspects should also be taken into account:

  1. The Pareto principle (80/20 rule): This also applies to IT security. With 20 percent of the possible IT security measures used correctly, 80 percent protection against potential threats can be achieved. By using the right IT security measures, a reasonable level of basic protection for IT systems can be achieved at relatively low cost.
  2. Don’t just invest for reasons of economy: If basic protection has already been implemented, other important reasons may lead to investing, such as legal requirements and an exaggerated sense of security.

Do you want to learn more about the calculation of profitability? Case studies and calculations are raised in the following sources (German 🇩🇪) ⬇

Strategic approaches to cybersecurity investment

A less mathematical approach to cybersecurity investments is suggested in Forbes magazine: companies should follow a blueprint for cybersecurity investments based on the emerging challenges of the coming year. Broadly speaking, this plan should incorporate three distinct phases: plan, prepare and protect.

  1. Plan: The first thing to do is set and define objectives, such as consolidating cybersecurity solutions and reducing cybersecurity supply chain risk.
  2. Prepare: This should be followed by concrete, tactical steps to identify critical assets and develop policies to protect them. This can be done, for example, through employing data discovery and using determination tactics or preparing for privacy regulations.
  3. Protect: Having reached this point, it is important to protect the data depending on the problem and the objectives.

A report by PwC proposes four more advanced cyber investment strategies:

Cyber initiatives should be used to help create and sustain value, rather than simply protecting value. 30 to 40 percent of cyber investment should be spent on protection, about 30 percent on detection, and the remaining about 30 percent on response and recovery. Connected to this, technology solutions should not determine investment strategies, but rather the big picture, i.e. a long-term vision and strategy. This will not only help ensure coverage of your biggest risks and mitigate major gaps, but at the same time build the capability and agility to fight the next, potentially unknown, threat. A data-driven approach should be employed. Such an approach goes hand in hand with the quantification of cyber risks, which is beneficial for companies to systematically assess new threats. Further, it was recognized that organizations often do not realize their full potential when investing in the cloud because CISOs and risk leaders frequently fail to collaborate effectively and have different expectations. Thus, when shifting from an on-premises system to a cloud-based system, you should reevaluate your existing policies and procedures to determine whether your existing expectations apply to the cloud environment, and which adjustments may be needed to accomodate the shared-responsibilities model

How much should you invest in cybersecurity?

There is no universal answer to this question. However, there is a report from the International Data Corporation (IDC) Canada from 2015 in which organizations are divided into four different categories depending on their investment behavior (source: stickmancyber.com):

  1. “Defeatists” = 23 percent of organisations – IT security is weak and underfunded, 6 percent of their IT budget spent on security.
  2. “Denialists” = 37 percent of organisations – IT security is weak but they don’t understand or acknowledge this fact, 6 percent of their IT budget spent on security.
  3. “Realists” = 23 percent of organisations – IT security is satisfactory but they are looking to improve it, 14 percent of their IT budget spent on security.
  4. “Egoists” = 17 percent of organisations – IT security is good but they risk overconfidence, 12 percent of their IT budget spent on security.

Apart from the actual investment behavior, the existing IT security budget is relevant, i.e., how much is available in the first place. There are two ways to determine the budget (source: Secion.de):

  1. Conventional: The decision is made based on experience already gained. However, conventional budgeting is only applicable until unexpected, new requirements arise.
  2. Risk-aware: An analysis and probability estimate of the risks and their relevance are carried out. This should be accompanied, further developed and optimized by experts.

It should not be neglected that no company can permanently provide all-round protection against all types of threats that are ever possible. The trick, then, is to prioritize items in the IT security budget. Certain cost drivers such as personnel costs and the cost of replacing equipment, assets and systems after a cyberattack should be calculated in. It is also recommended to have a reserve for outside service providers when investing in IT security. Even if a consultant or cybersecurity professional has already been involved, second or third opinions may be required in terms of 360° security.

In summary, it can be said that well-planned investments with a focus on current cyber threats and threats of the nearby future protect companies from significantly higher costs. The IT security budget must therefore not only be determined and spent cautiously, but also planned, prepared and thus also protected in a way that is tailored to the respective company. A first step could be CyberCompare. We help customers prioritize, specify requirements and service descriptions, compare offers, conduct market research and create concrete decision templates with clear recommendations. Our goal is always to make cybersecurity simpler, easier to understand and more affordable.

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.