Cybersecurity Cost Effectiveness

(This post is part of a series about asking the right questions about your cybersecurity. Questions any one is qualified to ask.)

Are your cybersecurity (C/S) efforts cost-effective?

If you are senior management, especially in the IT department, you should be able to answer that question pretty easily because you should be reviewing the success and scope of your organization's Cyber Defense efforts against not only the budget but against reasonable and customary levels of success.

(Yes, there is an acceptable failure rate for C/S, just as there is for everything human beings do. Would you like to stop all attacks and recover flawlessly from all disasters? Of course you would. Are you a failure if an attack ever gets through or a disaster disrupts operations even for a moment? No, of course you are not.)

We assume that your organization can answer the first two questions in this series, which were "Is your C/S addressing the right risks?" and "Is your C/S effective?" If you can answer both of those questions with reasonable and feasible answers, then you are pretty sure you are protecting what you can afford to protect and that your protection is effective. But is that protection cost-effective?

To answer this question, you need to know two things: how much you spend and what you are getting for your money. This will allow you to decide if your program is cost-effective to YOU.

For extra credit, you should see what standards your industry uses. Having external standards against which to compare your costs and your success rates (or downtime or however you choose to measure the effects of cyber incidents) will allow you to decide if your program is as cost-effective as is reasonable and customary in your industry.

Be warned: there is still a conspiracy of silence around ransomware and other cyber threats, not least because paying ransomware demands is fraught with possible legal ramifications. Similarly, everyone is happy to discuss their data protection successes but no one is eager to discuss their data protection failures. Sadly, both attacks (including but not limited to ransomware) and disasters (including but not limited to accidental data deletion) are increasingly hard to hide.