Council Post: Strategies To Increase ROI On Cybersecurity Staff

Businesses have never been more vulnerable to online risks and malware attacks than they are today. Cyberattacks are among the top security and risk management trends affecting businesses.

We’ve heard the stories and seen the numbers concerning the consequences of major cyberattacks on computers around the world. In 2017, the WannaCry ransomware caused $1.5 to $4.0 billion in monetary damage worldwide. The same year, an Equifax breach caused reputational damage resulting in the CEO, CSO and CIO vacating their positions with the company.

While these are extreme examples, the fact remains that large organizations are vulnerable to similar attacks, and the consequences aren’t exaggerated. Businesses must integrate cybersecurity into their strategy.

In order to integrate cybersecurity, businesses should employ qualified and skilled talent or invest in training for existing employees. An educated team helps ensure employees are on board with the cybersecurity approach. This is imperative so they understand the likelihood of threats, the risks of potential damage and how policies will mitigate those risks.

A staff that takes cybersecurity threats and policies lightly is a major risk for any organization. Training and educating employees will help mitigate risks and avoid disaster for a fraction of the cost if your business is targeted by malicious parties.

This solution-driven mindset is a five-step strategy to increase ROI and achieve the business’s cybersecurity goals through your staff.

1. Know the worth of cybersecurity talent.

There is no question that a shortage of cybersecurity talent exists. The total number of vacant security-related jobs was predicted to reach 1.5 million this year. The situation will become bleaker as digital ecosystems evolve.

The high rate of technological evolution automatically increases system vulnerabilities. Sensitive technologies like artificial intelligence and the internet of things require constant threat monitoring to ensure security. Achieving cybersecurity resilience depends on hiring skilled individuals who will put the right processes in place to combat IT security risks.

2. Define cybersecurity goals.

Security leaders are measured by cybersecurity resilience; therefore, defining business goals requires a smart approach. When a business doesn’t have a set of defined goals, the goals must be created. An important factor to consider is the greater context of security trends. Industry trends of major concern include:

• Creating better communication of risks among stakeholders and CISOs.

• Securing cloud-based platforms.

• Integrating security into data governance frameworks.

• Moving to a passwordless approach (via biometric and hardware-based methods).

• Having a lack of cybersecurity talent.

Major trends affect every business, but their significance depends on the size, type and sector of the business.

3. Conduct a skills assessment.

After a business’s goals are in place, next determine how to go about achieving them. Performing a skill-set assessment of staff helps identify specific gaps and provides a better understanding of cybersecurity readiness.

Large technology and security-solution vendors have specialized versions of aptitude assessment tools. Additionally, the National Initiative for Cybersecurity Careers and Studies and the National Initiative for Cybersecurity Education have detailed information about cybersecurity workforce assessments, planning and implementation.

4. Assign information security training.

Once a training plan has been created based upon gaps in skills, the next move is assigning specific training courses to address those gaps. The plan would work to plug only those skill-set gaps the organization needs to meet the business yielding ROI for the training dollars and the investment in employees.

5. Determine Return on Security Investment (ROSI).

According to the European Network and Information Security Agency, any ROSI security solution can be calculated using this formula:

• ROSI = (Reduction in monetary loss – Cost of the solution being considered) / Cost of the solution under consideration.

Employee training helps avoid monetary loss by counting as a proactive solution to cybersecurity threats. If the formula is modified, we have a handy way to calculate the ROSI:

• ROSI = (Reduction in monetary loss – Cost of employee training) / Cost employee training.

The effective levels of training result in a reduction of the expected monetary loss in the event of a breach, and it’s often quantified by using a metric called annual loss expectancy. To calculate the loss, multiply the probability of a risk occurring in a year by the expected monetary loss of a single occurrence.

Another method of calculating loss estimation and ROI is the Gordon-Loeb Model. Advanced approaches can create unique metrics, so choose the method that makes the most sense for the business.

All in all, having reliable cybersecurity information is crucial for designing an effective cybersecurity strategy. This means knowing which procedures and policies are most compelling and reviewing the best practices and effective rules.

Part of a training program involves awareness about current threats, communicating with staff and updating staff about policy changes, current threats and any thwarted attacks. When major changes are implemented in everyday business processes, ensure staff has adequate time to prepare.

I’ve observed that investing in IT combined with cybersecurity training leads to high ROI and increases efficiency. This can effectively reduce turnover, enable career mobility and curtail time spent recruiting skilled talent, which can be developed internally. Training and empowering the team helps integrate cybersecurity into the very culture of the firm. Look into professional cybersecurity certifications now and upskill your resilience.