Cost-effective Cybersecurity

In a recent post we talked about effective cybersecurity. Now let's talk about cost-effective cybersecurity.

Note that cost-effectiveness is not interesting without effectiveness. And effective is not the same as expensive. The goal is effective cybersecurity that is also cost-effective because we live in the real world. But all too often organizations have cybersecurity that is both expense and ineffective.

We will assume that you already know what we mean by effective cybersecurity; if not, take a few minutes to read that other post. Now we will consider whether or not your cybersecurity is cost-effective. To do that we must understand what we mean by cost-effective analysis (CEA).

A CEA is used when there are many options and few clear choices. Health care often uses them because, like cybersecurity, perfect health is unattainable and the potential cost of all potential options is essentially infinite. You can't do everything that you would want to do. You can't even do everything you would like to do. The question is: can you do everything that you need to do?

The CEA compares possible interventions based on two things: the likely outcome and the probable cost. This is more useful than it might seem at first blush. Instead of asking "how much should we spend on cybersecurity?" instead you ask "of the X actions we are considering, what will be protected and how much will it cost?"

We use the NIST CSF so we break down your cybersecurity program into these steps:

1. Identify what to protect
2. Protect those assets with procedures and processes
3. Detect issues by monitoring those procedures and processes
4. Respond to issues as you detect them (short-term)
5. Recover from  issues after responding to them (long-term)

In order to be effective, you must protect the appropriate assets most or all of the time and detect the times when your protections fall short. In order to be cost-effective, you must protect only the assets you can afford to protect effectively. Trying to protect too much and doing a bad job is NOT cost-effective, it is penny-wise and pound-foolish. Protecting too little and doing a terrific job on the blessed assets while other vital assets are plundered is NOT cost-effective, it is just a different way to be penny-wise and pound-foolish.

If you are spending what you can afford and doing an effective job on all of your vital assets, then your cybersecurity is cost-effective. Rejoice and be glad--for now. This is a moving target.

So, uh, what if you DON'T have cost-effective cybersecurity?

We Can Help

We have experts in technology and in behavior and these different experts work together to help your company develop a culture of working together. If you see yourself in any of the above scenarios then it is time to schedule a meeting.