Investment in Cybersecurity During a Down Economy

Yesterday marked the wildest day the market has seen since 2008. For the first time in over a decade, the Dow dropped more than 2,000 points. Similar to when the bottom fell out of the oil market in 2015, companies are now faced with a challenging decision: should they continue to invest in growth, or would they be better served holding cash to protect themselves against a downturn?

At the risk of stating the obvious, we are certain to have more economic declines over time. What’s the most troubling about these moments—at least to cybersecurity professionals—is that companies continually make the decision to prioritize dollars away from cybersecurity initiatives, and hackers are acutely aware of this. They know the focus is elsewhere and see an opportunity to strike when companies are most vulnerable.

Investment in Cybersecurity

I’ve been in business since 2009 and worked in the cybersecurity industry since 2002, and I’ve seen companies continue to cut investment in cybersecurity initiatives the moment economic instability surfaces. The reason is because it’s difficult to justify the cost of investing in initiatives that do not aid in revenue generation or are not a core competency. It’s also virtually impossible to define an ROI for cybersecurity investment, so seeing the positive side of this spend when cash is tight is hard to do.

That’s understandable. Holding onto cash and only spending on initiatives that increase or stabilize revenues, improve competitive advantage, or sustain core competencies seem like sound strategies. But what they don’t account for is the cybersecurity risk they introduce.

The RLC Triad: The Ever-present Force

The above being understood, realize this: During an economic downturn, your company’s risk, liability, and compliance obligations do not change. Given data’s value as a digital resource, companies are not getting rid of it. So if sensitive data remains, so too does the risk of it being stolen or otherwise exposed.

Moreover, the liability associated with stored data does not change either. If your company is attacked, the cost of a data breach is still the same. This can devastate companies already struggling to survive, and in some instances, it can shutter them.

Lastly, regulatory bodies do not care that the economy is down, and they make it very clear that companies storing sensitive data must maintain compliance at all times. The cost of compliance will remain constant, and if there is no continual investment in compliance-related functions, falling out of compliance is a realistic possibility.


Making the Mistake of Skimping on Cybersecurity

As we’ve established, during periods of economic distress, companies generally restrict spending and attempt to reduce costs. This cost reduction generally occurs in three ways: reductions in workforce, reductions in functions, and reductions in technology. However, these people, processes, and technologies represent fundamental elements required to execute a successful cybersecurity strategy. Not properly assessing the risk of cutting resources in these areas will leave an organization in a deficit that will be very challenging to overcome in the cybersecurity arena.

The truth of the matter is that in order to prevent a breach of your environment, every single security control must function properly 100 percent of the time. Any lapse in your systems or underperforming control leaves an opening for cybercriminals to exploit, which can lead to a breach or otherwise expose sensitive data. This is not to suggest that every last dollar should be invested in cybersecurity, but those responsible for financial decisions should understand that skimping on cybersecurity investment could very well result in a data breach that will be far more costly than maintaining an appropriate cybersecurity program and ensuring the technologies therein function effectively.

Cybersecurity as a Board-Level Priority

When communicating with your board, emphasize the risk of cost avoidance in cybersecurity. Use the information above as talking points and leverage recent data breach reports in your industry. If we are not learning from others, we’re missing an opportunity. It can also help to suggest risk-reducing alternatives for cybersecurity investment. For example, rather than chasing the newest “next-generation firewall,” advocate for technologies such as tokenization that will minimize the risk of data theft. If the data is not in your environment, it’s going to be challenging for hackers to access it in the event of a breach. More pointedly, prioritize data protection over everything else and treat your data as your most valuable resource. Hackers certainly do.

History tells us that the economy is going to fluctuate. This is inevitable. History also tells us that when we don't value cybersecurity, breaches occur—as evidenced by the continual increase in data breaches every year. Invest in cybersecurity solutions that prioritize in protecting what hackers want: your data. You can do that by implementing TokenEx's Cloud Security Platform. At TokenEx, we are dedicated to minimizing risk, liability, and the scope of compliance obligations while providing day-one efficacy to our customers. By doing so, we help protect the world's most sensitive data from attack.

No data, no theft.





Keep Up With Our PCI & Privacy Blog