Cybersecurity consumes a significant share of organizational budgets. As some of the most trusted brands experienced data breaches over the past 2 years—including Intel, Yahoo, Macy's, Adidas, Sears, Delta Airlines and Best Buy to name a few, companies are wondering if they are next in line, and if they are spending enough to protect their data, users, brands, and business continuity.
They're already paying a lot. The online publication CSO partnered with the CERT Division of Software Engineering Institute at Carnegie Mellon University and the U.S. Secret Service, among others, to evaluate cybersecurity trends. Their study reported that 59% of organizations saw security budgets increase in 2018 with the average annual budget for IT security standing at $15 million, with worldwide data security spending expected to reach $124 Billion in 2019, according to Gartner.
Furthermore, according to Cisco and Cybersecurity Ventures, the cybersecurity market is expected to continue growing by 12-15% year-over-year through 2021.
Yet in spite of huge security investments, breaches still occur, and bigger budgets are not necessarily buying better security. In fact, “…most organizations — even some with nine-figure security budgets — have no idea how operationally effective their security technologies are,” says Distinguished VP Analyst Anton Chuvakin.
These numbers suggest that organizations can't measure security posture strength by how much they spend. According to Paul Proctor, Vice President at Gartner, asking industry peers how much they are spending on cybersecurity "is not useful, because there are organizations that are spending a ton on cybersecurity and they have very bad risk postures, and there's others that aren't spending very much but they have very good risk postures. The bottom line is: It's about their level of readiness."
So how do you assess readiness?
Assess Readiness from an Attacker Perspective
A new type of technology, Breach and Attack Simulation (BAS), not only tests the effectiveness of security controls already in place, but it also assigns BAS risk scores depending on if—and how well—they are working. The Cymulate BAS platform tests your infrastructure's ability to cope with threats across the entire kill chain, from pre-exploitation-stage threats, such as email and drive-by-downloads, through exploitation activities, such as endpoint compromise, to post-exploitation activities, and assesses employee awareness of phishing and social engineering techniques. For the first time, you can quantify vulnerability levels across every attack vector without adversely affecting your production environment. Cymulate enables you to answer critical questions in assessing your organization’s readiness to handle a cyber attack:
- What's already deployed and how well does it all work?
Use BAS to test the effectiveness of existing security controls, across any—or all—threat vectors. Testing for functionality and efficacy delivers consistent, quantifiable data in the form of a risk metric, regardless of vendor brands deployed to protect against various attack vectors.
- How do your controls fare against non-CVE vulnerabilities?
Be sure to test for scenarios that mimic the behavior of real malware, across the attack kill chain, including various attack techniques, tactics and practices. For example, vulnerability assessment tools check systems for published and known vulnerabilities, and verify whether the patches and updates are missing from your various software. BAS takes security control assurance a step further by checking your security arsenal’s ability to withstand threats that leverage tool misconfiguration and security gaps in legitimate program features.
BAS testing is not the same as control auditing for compliance. Control audits ensure that controls are present, but they don't assess their effectiveness against real threats. BAS focuses on outcomes—identifying how controls respond in the face of attacker behavior. A quantifiable risk metric is assigned to each test, so you can easily see security gaps or weaknesses.
- What should you prioritize and why?
Now you're ready to make budget allocation decisions based on quantifiable data. Every business must define acceptable levels of risk tolerance across different areas, but BAS data enables you to prioritize budget and mitigation efforts based on an objective BAS risk score that takes into account a threat’s potential impact on an organization, the probability of encountering it in the first place and its infection success rate.
Keep It Agile
When you invest in BAS as part of your cybersecurity strategy, it enables you to increase agility and proactively move the organization's security posture forward. Threat actors change. Attack surfaces change. Unlike costly annual pen testing that only provides a limited snapshot, BAS lets you accurately assess security posture at any given moment and allocate budget and talent where it's most needed. Maybe you can purchase peace of mind.
 2018 U.S. State of Cybercrime, IDG, Oct. 18, 2018, https://www.idg.com/tools-for-marketers/2018-u-s-state-of-cybercrime/
 2019 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics, https://cybersecurityventures.com/cybersecurity-almanac-2019/
 The role cybersecurity should play in 2019 IT budget planning, ZDNet, September 4, 2018, https://www.zdnet.com/article/the-role-cybersecurity-should-play-in-2019-it-budget-planning/