For as long as the internet has been a part of everyday life, we’ve been aware of its plethora of rewards, as well as its risks and the related need for cybersecurity. But as attacks become more prevalent and sophisticated, organizations have been pushed to invest in more sophisticated defenses—but better cybersecurity costs more money.
The Consequences of Rising Cyberattacks and Stringent Regulations
During the pandemic, a rise in supply chain cyberattacks and triple extortion ransomware had devastating and cascading effects that caused widespread damage. More recently, the Identity Theft Resource Center found that the total number of data breaches in 2023 through the end of September exceeded the total amount of breaches in 2022 by 23 percent—attacks that led to millions of victims affected by misconfigurations on Android cloud services and leaks at Facebook, LinkedIn, MGM, MOVEit and Cognyte, among other issues.[i]
As these major threats have intensified over the last year, businesses across all industries are responding with a greater focus on cybersecurity awareness, readiness, and resilience. Cisco found that 50 percent of big enterprises—those with 10,000+ employees—currently spend at least $1 million on security, with some giants like Microsoft aiming to invest over $1 billion annually. Meanwhile, a Statista report showed that spending in the cybersecurity industry reached around $71.1 billion in 2022.[ii]
Compounding this already hefty investment are stringent regulations. As noted by The Wall Street Journal, state-sponsored hacks and ransomware attacks have pushed the U.S. beyond voluntary standards and into more aggressive cyber policies; already, companies in some sectors are now required to report cyberattacks, appoint dedicated staff to liaise with officials and redesign their networks with zero trust principles—a shift that has already resulted in the enactment of the Colorado Privacy Act, the California Privacy Rights Act, and the Virginia Consumer Data Protection Act. [iii]
The same is true overseas—according to Reuters, 2021 saw advancements in the form of China’s Personal Information Protection Law and the release of the UAE’s and South Africa’s new privacy laws. Meanwhile, Europe introduced the EU’s new Standard Contractual Clauses,[iv] as well as a new directive finalized in 2022 that requires more types of companies to take strong cybersecurity measures, including stringent requirements in encryption and governance.[v]
Balancing the Security Budget: Spend to Defend?
Given all this, we should expect regulators—including sectoral regulators—worldwide to intensify efforts and expectations in 2023 and beyond, and that will likely mean yet more increases in cybersecurity costs. It won’t be enough to manage business continuity by merely patching remote systems over already-cracking-under-the-load VPNs as they did during the pandemic against an exponential increase in attacks—CISOs will now need to determine how to allocate and expand cybersecurity budgets, support additional modifications, and reassure clients and stakeholders while adjusting to the next normal.[vi]
Among these adjustments will be those to deal with “rapid IT changes and rising complexities,” which most respondents of a Deloitte survey identified as their number-one cybersecurity challenge.[vii] Regulators, noting the vast amounts of personal data now captured and stored by companies, have further made data protection—together with resiliency and data integrity—a significant focal point for cybersecurity through a slew of national and international data protection standards that are only increasing in number and comprehensiveness. So, for companies to flourish despite the onslaught of proliferating attacks and increased regulations, they must prioritize strategic preparation, flexibility, and resilience.
But that doesn’t necessarily have to mean expanding or reallocating the budget, as Julie Bernard, a principal with Deloitte Risk and Financial Advisory’s cyber-risk services, noted: “While everyone is looking for an efficiency ratio for their cyber costs, how a security program is planned, executed, and governed is as important, if not more.”[viii]
In a study, Compliance Week drilled down further into the idea that higher cybersecurity spending doesn’t necessarily translate into a higher cybersecurity maturity level by looking at programs that most successfully implement their security budgets, all of which showcased the same core traits: full managerial support in nearly all areas of cybersecurity; prioritization of cybersecurity by segregating it from IT; and alignment cybersecurity efforts with business strategy (and providing relevant alignment, prioritization, and reporting structures).[ix]
Investing in Compliance Solutions
Still, McKinsey points out that cybersecurity budgets cannot grow and shrink depending on whether a company recently suffered a system intrusion. And so as other readjustments are implemented at an organizational level, there’s one worthy investment that should go ahead and be made—that into compliance. Adherence to proven and industry-accepted standards of security will not just help prevent such intrusions, but the related assessments can be powerful tools of trust amidst the expanding cybersecurity landscape, including:
- System and Organization Controls (SOC) Reporting: Businesses can build trust and confidence with their customers (and their auditors) through an independent SOC 1, SOC 2, or SOC 3 examination that proves procedures are conducted in an ethical and compliant manner.
- Federal Assessments (FedRAMP or CMMC): Cloud service providers, contractors, and commercial entities can support their authorization to operate for federal agencies by undergoing an independent assessment (FedRAMP, CMMC, FISMA/NIST, ITAR, and CJIS).
- Payment Card Assessments: Merchants and their service providers can validate compliance with adherence to their PCI DSS requirements through a report on compliance (PCI DSS Validation, PCI SSF, PA-DSS Validation, PCI P2PE Validation, ASV Scanning).
- Healthcare Assessments: To ensure they’re providing top-tier security and privacy to their business associates and covered entities among growing healthcare complexities, organizations can evaluate their alignment with HITRUST CSF requirements or whether they’re meeting HIPAA security and privacy safeguards, or communicating EPCS-DEA compliance to stakeholders while satisfying regulatory requirements.
- ISO Certifications: These internationally recognized certifications provide organizations with a framework to handle modern corporate challenges—from security, privacy, and service delivery to availability—and foster trust with clients.
- Penetration Testing: These independent third-party assessments enable businesses to demonstrate that they take data security seriously while also strengthening their ability to effectively respond and mitigate threats in an increasingly vulnerable technology landscape.
- Privacy Assessments: Through a slew of respective assessments and certifications (APEC, GDPR, etc.), organizations can assess their compliance with applicable strict data protection regulations—nationally and globally—to guarantee the privacy of the data they possess.
- Cloud Configuration Assessments: Businesses can protect themselves and their clients from the threat of data breaches and loss by reducing security risks in cloud computing through assessments that can reveal common configuration issues such as insecure data storage, internet-accessible databases, excessive API keys, and lack of multi-factor authentication.[x]
The Permanence of Cybersecurity
With compliance as a critical component, it’s clear that cybersecurity as a whole must be viewed as a permanent capital expenditure moving forward. For maximum efficiency and minimum disruption of performance, budget allocations should be prioritized in tandem by technology professionals and a C-suite that have mutually educated one another on varying priorities, though tech leaders—as McKinsey argues—may need to take initiative in forging direct communications, creating cost transparency, and identifying business priorities to help the board create and regularly review benchmarks for cross-company and multi-year expenditures on cybersecurity initiatives.[xi]
However such a designated “Cybersecurity Committee” chooses to cooperate, for companies to flourish despite the onslaught of proliferating attacks and increased regulations, they must prioritize strategic preparation, flexibility, and resilience when rethinking strategies and offerings so that they can efficiently combat cybersecurity threats without compromising performance so that they’ll be in a position to accommodate what will surely be a new security landscape while continuing to meet client needs.
Avani’s CXO Ladder Story: Inspiring Career Journey of a Mother, a Philanthropist, and a CEO
Schellman’s SchellmanCon Event
[i] https://www.securitymagazine.com/articles/96667-the-top-data-breaches-of-2021
[ii] https://www.secureworks.com/blog/6-considerations-for-your-companys-cybersecurity-budget
[iii] https://www.wsj.com/articles/companies-face-stricter-cyber-rules-in-2022-11641205804
[iv] https://www.reuters.com/legal/legalindustry/cybersecurity-data-privacy-foresight-2022-2022-01-21/
[v] https://www.mimecast.com/blog/cybersecurity-rules-tightening-across-europe-in-2022/
[vi] https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/covid-19-crisis-shifts-cybersecurity-priorities-and-budgets
[vii] https://www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html
[viii] https://www.complianceweek.com/cybersecurity/study-firms-pay-more-than-2k-per-employee-for-cyber-security/27029.article
[ix] https://www.complianceweek.com/cybersecurity/study-firms-pay-more-than-2k-per-employee-for-cyber-security/27029.article
[x] https://www.schellman.com/
[xi] https://www.mckinsey.com/~/media/McKinsey/McKinsey%20Solutions/Cyber%20Solutions/Perspectives%20on%20transforming%20cybersecurity/Transforming%20cybersecurity_March2019.ashx
I am the CEO at Schellman, the world’s largest niche cybersecurity assessment firm specializing in technology assessments. With extensive experience in information security, operations, P&L oversight, and marketing, I’ve had the opportunity to work with both start-ups and growth organizations, domestically and internationally. My insights have been featured in Forbes, CIO.com, the Wall Street Journal, and CIO TechWorld. I’m often invited to speak on topics such as security, privacy, information security, future technology trends, and the importance of expanding opportunities for young women in tech.
I’m also deeply committed to strategic philanthropy and serve on the boards of Arnold Palmer Medical Center and Philanos. I chair the Audit Committee at the Central Florida Foundation and co-chair 100 Women Strong, a female-led venture capital giving circle dedicated to solving community challenges affecting women and children through data analytics and big data.