Figuring out whether a data center is spending enough on cybersecurity is easy in theory but not in practice.
First, you determine your appetite for risk. Second, you determine the potential impact of a cyber incident to your critical assets and systems. Third, you determine the vulnerability of those assets.
Multiply the potential impact by the degree of vulnerability, and you get your total risk exposure. If the total risk is higher than what you can tolerate, you need to beef up your cybersecurity.
A company’s tolerable level of risk depends on its size, industry, and market positioning.
"Is your goal to track the spend of your competitors, or to be known for delivering more exceptional service in a more secure way?" asked Ramon Peypoch, chief product officer at the Denver-based network security company ProtectWise. "You can use security as a driver for your business if you adopt the approach that you're going to deliver the most secure data center operations and not be part of all the high-profile breaches out there."
On average, companies tend to spend about a tenth of their IT budget on cybersecurity, said Mike Sprunger, senior manager of cloud and network security at Insight, a Tempe, Arizona-based technology consulting firm. High-risk operations, such as banks, would spend more, he said.
Understanding the Impact
The problem, Sprunger said, is that the people responsible for security often focus on across-the-board technology initiatives rather than considering the potential impact on individual systems. As a result, they wind up spending too much time, effort, and money on non-critical systems and not enough on the most important ones.
"Protecting things to the degree that they're important to the organization is a well-known concept," he said. In practice, it's a rare organization that’s able to do this well. For example, hospitals have a very good awareness of the kinds of risks that can put patient health in danger. "But that same discipline isn't extended into IT."
And if the security manager can't distinguish between the different assets that need to be protected? "Then you're probably spending too much," Sprunger.
This risk assessment needs to be conducted on a regular basis.
"It is the only way to know what the risks are at any given point in time," he said. "Then you should insist on getting a roadmap to address those risks, to bring them back in line with the risk tolerance of your organization."
Say, for example, a particular security problem has a compliance impact with a $2,000 fine every month – but it would cost $500,000 to fix. "Then you pay the fine all day long," he said. "You can pay the fine for ten years before you come close to the investment you'd have to make in the technology."
There is no precise way today to measure how vulnerable a particular organization or individual system is to cybersecurity attacks.
But there are ways to get a reasonable estimate and refine it with experience over time, experts say.
Risk is as complicated and unpredictable in cybersecurity as in many other areas of business. Companies find ways to analyze all kinds of risk. They'd be operating blind otherwise.
Measuring the likelihood of a successful cyberattack typically starts with applying industry guidelines, best practices, and security frameworks to determine areas of vulnerability.
Penetration testing can help determine how easy it is for hackers to break into particular systems.
Third-party risk assessment companies can help as well, similar to the way credit agencies calculate a person's credit rating.
FICO, for example, offers a Cyber Risk Score tool. The company recently partnered with the US Chamber of Commerce on the first national cybersecurity assessment.
The score runs from 300 to 850, just like a traditional credit score, and correlates with the size of an organization and the complexity of its network. For example, construction companies scored an average of 764, while telecom companies came in at 619.
Knowing a company's overall vulnerability, how it compares to peers, and how it changes over time, can help clarify whether the money being spent on cybersecurity is having an impact.