It’s not a good habit for any business to invest without seeing a decent return. In some functions, its easily fixable—cut your losses and move onto the next project or campaign. But when it comes to security, if your investments don't hit the mark, you're exposing not only the smooth running of your business, but also, potentially, your brand and reputation.
In our latest report "Invest for Cyber Resilience,” we take a close look at how organizations are prioritizing security, how comprehensive their security plans are, and how their security investments are performing. We found that most organizations are not shy of investing in cybersecurity and, in particular, are showing a strong commitment to new technologies. Today, 84 percent of organizations are spending more than 20 percent of their cybersecurity budget on technologies where artificial intelligence, machine learning or robotic process automation is a fundamental component. That’s a good step up from 67 percent three years ago.
Despite these kinds of investments, many are not seeing the benefits—only 53 percent say their investments are “recovered or returned.” And they have the added pressure of the increasing costs of cybersecurity. In fact, these costs are rapidly proving to be unsustainable—for one in four of the organizations we studied, they’re rising by more than 25 percent a year.
So, what’s the impact of these kinds of pressures? Well, as you might expect, the impacts of security programs and investments are diluted. In terms of coverage, we found only 59 percent of assets are actively protected by cybersecurity programs on average. And when defenses fail, more than half of security breaches take longer than 16 days to remediate—and one quarter take more than a month.
While these findings may not promote confidence, there is a positive outcome for some. We discovered a group of organizations, identified in our report as leaders, who seem to have cracked the secret code behind making security work. These leaders, 17 percent of our sample, demonstrate three key ways that enable their organizations to focus their efforts and drive better results from their security investments.
What do leaders do differently to get the best results from their cybersecurity technology investments? They:
Scale more: Organizations best at scaling technology investments from pilot to deployment across the enterprise are four times better than the rest at defending attacks
Train more: Organizations best at training are two times better than the rest at defending attacks
Collaborate more: Organizations best at collaborating are two times better than the rest at defending attacks
Take a look at more of the findings from our survey of 4,644 senior security executives in organizations with annual revenues of US$1 billion or more from 24 industries and 15 countries. This report is just one of an ongoing and extensive and body of research that we have been building for many years. Think about whether the security spend in your own company is resulting in the performance your security team expects. As we can see from this research, it’s no good relying on investments to just work hard—they need to work smart, too.