Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/4/2020
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Prepare for the Unexpected: Costs to Consider in Security Budgets

Organizations that update business models to include cybersecurity as part of a strategic planning process may be able to better withstand unexpected disruptions.

The year 2020 catapulted cybersecurity from a technology problem to a business issue. Now, when organizations plan for digital transformation, leading with security is the norm. As it's now top of mind for business and technology leaders, cybersecurity should be a significant part of every budget — factoring in necessities such as tooling, consulting services, training, updates, new licensing, and even an insurance policy.

Related Content:

How to Wring Every Last Drop Out of Your Security Budget

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: 9 Disaster Recovery Tips for a Disaster-Prone Time

However, as budgeting traditionally occurs in silos, security leaders are still concerned the committed spend will not be sufficient. A recent AT&T Cybersecurity poll showed that nearly one-third (28%) of cybersecurity professionals are concerned about the prioritization of security investments.

As we near the end of the year, a time when security budgets are often reassessed, let's take a look at common direct and indirect security costs — and how organizations can get smart with their security spending.

The Direct Costs: Planning for Unexpected Disruptions
One of the most frequently overlooked direct cybersecurity costs is what organizations have been experiencing since early 2020 — the unexpected disruption and associated expenses as a result of the pandemic. In March 2020, when homes became offices and employees became remote workers, organizations struggled with unexpected cybersecurity expenses such as basic cybersecurity training, extra VPN licenses, extra licenses for secure email gateways, additional managed security services, and other typical cybersecurity budget line items.

Other unexpected, but real, disruptions include a cyberattack and its necessary remediation, unexpected business growth — either organically or through acquisition, and rapid change to accommodate competitive business initiatives.

Planning and budgeting for such disruptions is something a well-organized and strategic company considers as an unknown reality on a yearly basis. Organizations should use a strategic planning process to determine possible events that are likely and unlikely. Understanding where business risk may creep in over the course of the year helps organizations have a realistic budget that can help to successfully survive disruptions.

Failure to plan for the unexpected disruption can have dire consequences. For example, some businesses experiencing erosion from more nimble competitors could not adapt during the pandemic. Among other issues, the switch to everything remote, virtual, and touchless accelerated the decline of these businesses. Formerly stalwart brands have either gone out of business completely or are in restructuring mode.

The Indirect Costs: Crisis Management
On the other side of the coin lie indirect security costs. The most overlooked indirect cybersecurity cost is directly related to unexpected disruption: crisis management. In the event of an unexpected disruption, organizations may have to enlist the help of crisis experts such as outside cybersecurity professionals for remediation of an issue, the last resort of payment for a ransomware attack, or other crisis expenses.

Many organizations fail to think about a crisis situation and its remediation tactics. Planning for a crisis is not a failure — it's being realistic and strategic. Failing to plan for a crisis as part of an unexpected disruption can cause significant impact to the business including the loss of customer loyalty, shareholder confidence, tarnishing of the brand, and ultimately, the business. While it's true that planning for a crisis may cost a company more day-to-day (depending on the amount of work done, the industry and the geographies to be covered), it is still far more cost effective than being unprepared in a crisis, which can cost up to millions of dollars in mitigation and potentially hundreds of millions in reputation and shareholder value.

Cybersecurity is no longer an isolated technical team or issue; it's a business enabler. Organizations that update business models to include cybersecurity as part of a strategic planning process may be able to withstand unexpected disruptions better than organizations that view cybersecurity as simply a technical problem to be solved.

Theresa Lanowitz is a proven global influencer and speaks around the world on trends and emerging technology poised to help today's IT organizations flourish. Prior to joining AT&T Cybersecurity, she founded industry analyst firm voke, to highlight emerging technologies and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29129
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29130
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-26936
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
CVE-2020-29042
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
CVE-2020-29043
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.