#Interview: Why Organizations’ Leaders Invest Less in Cybersecurity, Why They Should Invest More, and What Is the Cybersecurity ROI for Companies?

Mr. Ankit Sharma, working as security officer for Compute BU in Cisco India Bangalore office. Ankit leads Cloud and Compute BU Security efforts and makes sure BU is aligned with Cisco strategy and business goals. Ankit is a highly motivated Cloud Security Professional with proven expertise in information security, holds certifications like CSA Cloud Security Professional, CSA ZTA, is an ISO27001 Lead Auditor, and demonstrates strong ethical hacking skills. Ankit’s leadership abilities have aided in improving quality programs, reducing data breaches, and boosting efficiency, security, and productivity across the products.

Beyond his leadership acumen, Mr. Sharma possesses deep cloud security knowledge, encompassing cloud infrastructure, application security (AppSec), security operations(SecOps), and compliance frameworks like ISO27001 and SOC 2. His commitment to the field extends to contributions like developing and reviewing content for the CSA’s Zero Trust Certification exam, CSA ECUC Mapping withCCMv4 and defining the Shared Security Responsibility Model for cloud deployments in application security. Ankit has played a role in exam development for ISC2’s Certified in Cybersecurity program . Furthermore, Mr. Ankit Sharma is a seasoned speaker and writer also who has delivered his technical and motivational speeches in many security conferences and wrote articles in tech magazines and currently Mentoring college graduates on Voluntary basis and enabling them to make a successful career in the cybersecurity field.

The Interview :

Q1. Introduction to the Expert

• Can you start by introducing yourself and your experience in the field of cybersecurity?

Ans: I Ankit Sharma, working as a security officer for Compute BU in Cisco India Bangalore office. I have overall 17 years of industry experience in which I have around 15 years of vast experience in cyber security field. I have good experience in Vulnerability management, Global Risk and Compliance, Ethical hacking, Application security, Thread modeling, Secure code review, Penetration Testing, Cloud Security, and AI Security. I would like to work on such projects where security needs to be implemented from scratch.

Q2. Understanding the Current Investment Landscape

Q2(a):  Why do you think many organizations’ leaders tend to invest less in cybersecurity compared to other areas like product development or marketing?

Ans:- There are several reasons why organizations and their leaders may invest less in cybersecurity compared to other areas like product development or marketing. Here are some common factors:

1. Perceived ROI (Return on Investment)

• Intangible Benefits: The benefits of cybersecurity investments are often intangible and not immediately visible. Unlike product development or marketing, which can directly contribute to revenue generation, the ROI from cybersecurity is seen in terms of risk mitigation, which can be harder to quantify.
• Cost-Centric View: Cybersecurity is sometimes viewed as a cost center rather than a value driver. Leaders may prioritize investments that have more obvious and direct financial returns.

2. Lack of Awareness and Understanding

• Technical Complexity: Cybersecurity is a highly specialized and technical field. Organizational leaders without a strong background in cybersecurity may not fully understand the risks and the importance of investing in robust security measures.
• Underestimation of Threats: There is often a lack of awareness about the evolving threat landscape and the potential impact of cyberattacks. Some leaders may underestimate the likelihood of being targeted and the severity of potential breaches.

3. Reactive Rather Than Proactive Approach

• Incident-Driven Investments: Many organizations adopt a reactive approach to cybersecurity, investing significantly only after experiencing a breach or cyber incident. This reactive mindset can lead to underinvestment in preventive measures.
• Short-Term Focus: Business leaders often prioritize short-term goals and initiatives that yield immediate results. Cybersecurity, which requires ongoing investment and long-term commitment, may be deprioritized in favor of short-term gains.

4. Budget Constraints

• Resource Allocation: Organizations with limited budgets may prioritize investments that are perceived to have a more direct impact on business growth, such as product development and marketing. Cybersecurity may be seen as less critical in the short term.

5. Misalignment with Business Objectives

• Perception of Security as a Barrier: Some leaders view cybersecurity measures as barriers to innovation and agility. They may fear that stringent security protocols could slow down product development or hinder customer experiences.
• Lack of Integration: Cybersecurity is sometimes seen as an isolated function rather than an integral part of the overall business strategy. This siloed approach can lead to underinvestment and insufficient prioritization.

6. Compliance-Driven Mindset

• Minimal Compliance Focus: Organizations may invest in cybersecurity primarily to meet regulatory requirements and achieve compliance. This compliance-driven approach often results in minimal investment focused on meeting the bare minimum standards rather than implementing comprehensive security measures.
• False Sense of Security: Achieving compliance is sometimes mistaken for being secure. Leaders may believe that meeting regulatory requirements is sufficient, leading to complacency and underinvestment in broader cybersecurity initiatives.

7. Rapid Technological Changes

• Constant Evolution: The rapid pace of technological change and the evolving nature of cyber threats can make it challenging for organizations to keep up. Leaders may struggle to justify continuous investment in a field where the landscape changes so quickly.
• Emerging Technologies: Investments in emerging technologies such as AI, IoT, and blockchain often take precedence, with cybersecurity considered a secondary concern.

8. Cultural Factors

• Risk Tolerance: Organizational culture and risk tolerance play a significant role in investment decisions. Companies with a higher risk tolerance may be less inclined to invest heavily in cybersecurity.
• Leadership Attitudes: The attitudes and beliefs of top leadership regarding cybersecurity can influence investment levels. If leaders do not understand the cybersecurity, it may not receive the necessary attention and resources.

Q2(b) What are the common misconceptions among executives regarding the importance of cybersecurity investments?

Ans:- I won’t say executives are not aware but rather I will rephrase it like some better understanding can help organizations in more secure way. Here are some of the most prevalent misconceptions:

1. “We Are Not a Target”

• Belief: Some executives believe that their organization is too small, not high-profile, or not in a particularly attractive industry to be targeted by cybercriminals.
• Reality: Cyber attackers often target organizations of all sizes and industries. Small and medium-sized businesses can be particularly vulnerable because they might have weaker security defenses. Any organization that holds valuable data or has financial assets can be a potential target.

2. “Compliance Equals Security”

• Belief: Achieving regulatory compliance is often mistaken for having strong security measures in place.
• Reality: Compliance standards provide a baseline for security but do not cover all aspects of a robust cybersecurity strategy. Being compliant does not necessarily mean that an organization is secure against advanced threats.

3. “We Have Never Been Breached”

• Belief: If an organization has not experienced a significant breach in the past, executives might believe their current security measures are sufficient.
• Reality: The absence of a breach does not guarantee that an organization is secure. Cyber threats are constantly evolving, and past success does not ensure future protection. Continuous investment in and updating of cybersecurity measures are necessary to stay ahead of threats.

4. “We Have Strong Perimeter Defenses”

• Belief: Executives might believe that having strong perimeter defenses (e.g., firewalls, antivirus) is sufficient to protect the organization from cyber threats.
• Reality: Modern cyber threats often bypass perimeter defenses through methods like phishing, social engineering, and insider threats. A comprehensive security strategy that includes endpoint protection, network monitoring, and user education is essential.

5. “Cybersecurity Is a One-Time Investment”

• Belief: Some executives think that cybersecurity is a one-time investment rather than an ongoing process.
• Reality: Cybersecurity requires continuous investment and attention. Threat landscapes change rapidly, and new vulnerabilities are discovered regularly. Ongoing training, regular updates, and continuous monitoring are necessary to maintain a strong security posture.

6. “Technology Alone Can Protect Us”

• Belief: There is a belief that investing in the latest security technologies is enough to protect the organization.
• Reality: While technology is a critical component of cybersecurity, it must be complemented by strong policies, user training, and a culture of security awareness. Human factors often play a significant role in security breaches, and addressing these through training and awareness programs is crucial.

Q3. The Risks of Underinvestment

Q3(a): What are the potential risks and consequences for organizations that underinvest in cybersecurity?

Ans: Underinvesting in cybersecurity can expose organizations to a wide range of risks and consequences, including data breaches, ransomware attacks, regulatory non-compliance, operational disruptions, reputational damage, legal and financial liabilities, insider threats, intellectual property theft, and increased insurance premiums.

The financial, operational, and reputational impacts of these risks can be severe, highlighting the importance of adequate cybersecurity investments to protect the organization’s assets, data, and long-term viability. By prioritizing cybersecurity, organizations can mitigate these risks and ensure a more secure and resilient business environment.

Q3(b): Can you provide examples of incidents where insufficient investment in cybersecurity led to significant losses or damages?

Ans:– There are various example and incidents where we can see insufficient investment in cybersecurity led to significant damages. I can give few recent examples –

1. MGM Resorts Cyberattack (2023) – The attack was reportedly initiated by the ALPHV/BlackCat ransomware group. It’s believed that the attackers used social engineering techniques to gain access to MGM’s systems. Reports suggested that MGM Resorts had insufficient investment in advanced cybersecurity measures and was not fully prepared to handle such a sophisticated attack, especially in terms of employee training and system monitoring.

• Australian Broadcasting Corporation (ABC) Data Leak (2023) – The incident was due to a misconfigured cloud storage bucket that was left publicly accessible. The lack of proper security protocols and investment in secure cloud configuration led to this exposure. The leak included sensitive data such as personal details of ABC employees and internal project information.

The breach led to public outcry, regulatory scrutiny, and damage to ABC’s reputation as a trusted media organization. The incident underscored the need for better investment in cybersecurity practices, particularly in managing cloud infrastructure securely.

• SolarWinds Supply Chain Attack (2020-2021) – Who can forget SolarWinds attacks. This attack has forced industry to think again about less/limited investments in cyber security. The attack was linked to insufficient security practices within SolarWinds, including weak password management and insufficient monitoring of their development and build environments. The attackers were able to insert malicious code into a software update, which was then distributed to SolarWinds’ customers. The attack led to significant financial and operational disruptions for affected organizations, including the U.S. federal government. SolarWinds faced severe reputational damage and a sharp decline in stock value. The incident highlighted the importance of investing in robust cybersecurity measures, particularly in the context of supply chain security.

• Acer Ransomware Attack (2021) – In March 2021, Acer, a major computer hardware company, was hit by a ransomware attack where the REvil group demanded a record ransom of $50 million.

The attack exploited a vulnerability in Acer’s Microsoft Exchange servers. Reports indicated that Acer had not invested sufficiently in patch management and incident response capabilities, leaving their systems vulnerable.

While the full financial impact of the attack I am not aware however, Acer faced significant disruptions, including potential data loss and operational downtime. The high ransom demand and the global attention the attack received further damaged Acer’s reputation. The incident emphasized the critical need for investment in cybersecurity, especially in maintaining up-to-date systems and rapid incident response.

4. The Strategic Importance of Cybersecurity

Q4(a): Why should organizations prioritize cybersecurity as a critical area of investment?

Ans: Organizations should prioritize cybersecurity as a critical area of investment because it plays a vital role in safeguarding sensitive data, such as personal information, financial records, and intellectual property, from unauthorized access and breaches. Effective cybersecurity measures prevent costly financial losses from cyberattacks, including direct theft, ransom payments, and the high expenses associated with legal fees, regulatory fines, and system recovery.

Moreover, robust cybersecurity ensures compliance with regulations like GDPR and HIPAA, avoiding severe penalties and maintaining legal standing. It also protects an organization’s reputation by preventing breaches that can erode customer trust and lead to long-term damage to the brand. In today’s digital landscape, where threats are increasingly sophisticated, investing in cybersecurity is essential for sustaining business operations, protecting assets, and ensuring long-term resilience and success.

Q4(b): How does cybersecurity contribute to the overall resilience and sustainability of a business?

Ans: Cybersecurity contributes to a business’s resilience and sustainability by protecting critical systems and data from cyber threats, ensuring continuous operations even during attacks. It plays a key role in risk management by identifying and mitigating potential cyber risks, reducing the likelihood of disruptions. This proactive approach not only safeguards financial assets and customer trust but also ensures long-term stability, enabling the business to adapt and thrive in an increasingly digital and threat-prone environment.

5. Measuring Cybersecurity ROI

Q5(a): How can organizations measure the return on investment (ROI) in cybersecurity? Are there specific metrics that leaders should focus on?

Ans: Organizations can measure the return on investment (ROI) in cybersecurity by focusing on metrics that demonstrate the value of their security initiatives. Key metrics include:

1. Incident Reduction:
   • Measure: Track the decrease in the number and severity of security incidents over time.
   • ROI Insight: Fewer incidents mean lower costs related to breach recovery, legal fees, and operational disruptions, highlighting effective security measures.
2. Cost Avoidance:
   • Measure: Calculate the potential financial losses avoided by preventing breaches, including data theft, downtime, and regulatory fines.
   • ROI Insight: Demonstrates the value of cybersecurity by comparing potential losses to the cost of security investments.
3. Compliance and Audit Results:
   • Measure: Monitor compliance with industry regulations and the outcomes of security audits.
   • ROI Insight: Improved compliance reduces the risk of penalties and enhances the organization’s reputation, showing a clear return on cybersecurity investments.
4. Response Time and Recovery Costs:
   • Measure: Assess the time taken to detect, respond to, and recover from incidents, as well as the associated costs.
   • ROI Insight: Faster response and lower recovery costs indicate efficient security operations, leading to better ROI.
5. Customer Trust and Retention:
   • Measure: Evaluate customer feedback, retention rates, and trust indicators following security incidents or improvements.
   • ROI Insight: Maintaining or increasing customer trust after investing in cybersecurity demonstrates its value in protecting the business’s reputation and revenue.

Q5(b): Can you share examples or case studies where cybersecurity investments have clearly paid off for organizations?

Ans: My own organization i.e., Cisco has good investment in security since cisco vision is clear about security and resilience. Cisco Talos Intelligence Group, Cisco SecureX Platform, Cisco Umbrella, Cisco Zero Trust Security Model, Cisco Duo Security are few examples which clearly shows Cisco’s vision for investing in security is to create a secure and resilient digital world where businesses can thrive and innovate without the constant threat of cyberattacks. By offering a comprehensive security portfolio, embracing the Zero Trust model, investing in threat intelligence and research, and focusing on customer-centric solutions, Cisco aims to be a leader in cybersecurity and a trusted partner for organizations worldwide.

Apart from Cisco there are few more example which shows how industry has started taking cyber security more seriously –

1. Microsoft: Microsoft’s significant investment in cloud security enabled them to detect and mitigate the SolarWinds supply chain attack early, preventing further damage and protecting customer data. This proactive approach minimized the impact compared to other affected organizations.
2. Mastercard: Mastercard’s continuous investment in AI-driven fraud detection systems led to a substantial reduction in fraudulent transactions, saving millions in potential losses and strengthening customer trust.
3. UK National Health Service (NHS): After the WannaCry attack in 2017, the NHS invested heavily in cybersecurity. By 2020, these investments paid off when they successfully thwarted multiple ransomware attacks, avoiding the operational chaos and costs seen during WannaCry.

These examples demonstrate how strategic cybersecurity investments can lead to significant risk reduction, cost savings, and enhanced business resilience.

6. Overcoming Budget Constraints

Q6(a): What strategies can cybersecurity leaders use to convince the C-suite to allocate more budget to cybersecurity initiatives?

Ans: To persuade the C-suite to allocate more budget to cybersecurity, leaders should emphasize the financial impact of potential breaches by presenting detailed cost analyses, including potential losses from data breaches, regulatory fines, and reputational damage. They should also demonstrate how cybersecurity investments directly protect essential business functions and revenue streams, linking these investments to overall business resilience. By using industry benchmarks, leaders can illustrate how their organization’s cybersecurity budget compares to peers and competitors, highlighting any gaps. Sharing recent case studies of similar organizations that faced significant losses due to inadequate cybersecurity can provide concrete examples of potential risks. Lastly, demonstrating the return on investment by showing how proactive cybersecurity measures can prevent costly breaches and ensure long-term stability can further strengthen the case for increased funding.

Q6(b): How can organizations with limited budgets still implement effective cybersecurity measures?

Ans: Organizations with limited budgets can still achieve effective cybersecurity by prioritizing their most critical assets and focusing on essential protections. They should leverage open-source or affordable security tools and solutions that offer robust capabilities at a lower cost. Emphasizing employee training helps to mitigate risks associated with human error and social engineering. Implementing best practices such as regular software updates, patch management, and network segmentation can enhance security without significant expenditure. Additionally, collaborating with industry peers for shared threat intelligence and utilizing government resources or cybersecurity frameworks can provide valuable support and guidance without straining budgets.

7. The Role of Cybersecurity in Business Growth

Q7(a): How does strong cybersecurity posture contribute to business growth and customer trust?

Ans: A strong cybersecurity posture supports business growth and customer trust by safeguarding sensitive customer data, which prevents costly breaches and damage to the company’s reputation. It ensures compliance with regulatory requirements, avoiding fines and legal issues that could hinder business expansion. By demonstrating a commitment to security, the organization builds customer confidence, which helps attract and retain clients. Additionally, secure systems enable the safe introduction of new products and services, fostering innovation and growth. Effective cybersecurity also reduces downtime from attacks, ensuring consistent service and operational efficiency. Overall, a robust cybersecurity framework reinforces the organization’s reliability and stability, enhancing customer loyalty and contributing to long-term business success.

Q7(b): Can investing in cybersecurity give organizations a competitive advantage in today’s digital economy?

Ans: Yes, investing in cybersecurity can give organizations a competitive advantage in today’s digital economy. Strong cybersecurity measures protect sensitive data and prevent breaches, which helps avoid financial losses and reputational damage. This builds trust with customers, who are increasingly concerned about data privacy and security. A solid cybersecurity posture also ensures compliance with regulations, reducing legal risks and penalties. Additionally, it supports innovation by enabling secure deployment of new technologies and services. By demonstrating a commitment to security, organizations can differentiate themselves from competitors, attract and retain customers, and enhance their overall market position.

8. Cybersecurity and Compliance

Q8(a): How does investment in cybersecurity help organizations meet regulatory requirements and avoid costly penalties?

Ans: Investment in cybersecurity helps organizations meet regulatory requirements and avoid costly penalties by ensuring compliance with data protection and privacy laws. By implementing robust security measures, such as encryption, access controls, and regular audits, organizations can protect sensitive information and demonstrate adherence to regulations like GDPR, HIPAA, and CCPA. This proactive approach reduces the risk of data breaches and the associated legal and financial consequences. Moreover, effective cybersecurity practices facilitate timely and accurate reporting of incidents, further aiding in compliance and minimizing potential fines or sanctions.

Q8(b): What are the long-term financial benefits of staying compliant through robust cybersecurity measures?

Ans: Staying compliant through robust cybersecurity measures offers long-term financial benefits by helping organizations avoid substantial fines and legal fees associated with non-compliance. Effective cybersecurity reduces the risk of data breaches, which can incur high costs for breach remediation, including legal settlements, customer notifications, and system recovery. A strong security posture may also lead to lower cybersecurity insurance premiums by presenting a lower risk profile to insurers. Additionally, protecting customer data builds trust, enhancing customer loyalty and potentially increasing revenue. Furthermore, robust cybersecurity prevents operational disruptions and downtime, ensuring smooth business operations and reducing lost revenue. Proactively meeting regulatory requirements can also lead to favorable treatment from regulators and quicker resolution of compliance issues.

9. Future Trends and Investment Strategies

Q9(a): What future trends do you foresee in cybersecurity that might require increased investment?

Ans:

1. AI and Machine Learning: Enhanced use of AI for threat detection and response, necessitating investment in advanced AI technologies and skilled personnel.
2. Zero Trust Architecture: Growing adoption of zero trust models to verify every access request, requiring investment in new technologies and strategies for comprehensive security.
3. Cloud Security: As cloud adoption increases, stronger cloud security solutions and management practices will be essential.
4. IoT Security: Expanding Internet of Things (IoT) devices will necessitate improved security measures to protect against new vulnerabilities.
5. Quantum Computing: The potential impact of quantum computing on encryption standards may require investments in quantum-resistant security solutions.
6. Regulatory Compliance: Evolving data protection regulations will demand continuous updates and investments to maintain compliance.
7. Cybersecurity Skills Shortage: Investing in talent development and training to address the ongoing shortage of skilled cybersecurity professionals.

These trends highlight the need for ongoing and increased investment to stay ahead of emerging threats and secure future technological advancements.

Q9(b): How should organizations adjust their cybersecurity investment strategies to stay ahead of emerging threats?

Ans: Actually, I have already answered your question’s above but let me elaborate the same in different manner –

1. Adopting Emerging Technologies: Invest in advanced AI and machine learning for threat detection and response.
2. Implementing Zero Trust: Shift to a zero-trust architecture to continuously verify access.
3. Enhancing Cloud Security: Focus on robust cloud security solutions and management.
4. Securing IoT Devices: Invest in specialized security for IoT environments.
5. Preparing for Quantum Threats: Explore quantum-resistant encryption technologies.
6. Meeting Regulatory Changes: Stay updated with compliance requirements and invest in necessary updates.
7. Developing Talent: Invest in cybersecurity training and talent development to address skills shortages.

These adjustments help organizations remain resilient and responsive to evolving cyber threats.

10. Final Thoughts

Q10(a): What is your key message to organizational leaders who are hesitant to invest more in cybersecurity?

Ans: Investing in cybersecurity is essential for protecting your organization’s assets, maintaining customer trust, ensuring regulatory compliance, and safeguarding against costly breaches. The financial, reputational, and operational risks of underinvestment far outweigh the costs of robust security measures. Prioritize cybersecurity to secure your organization’s future and enable confident growth.

There is a famous saying in India – “The grandfather buys, and the grandson distributes (or enjoys)”. This saying reflects the idea that the older generation makes the investments or purchases, while the benefits or profits are enjoyed or distributed by the younger generation. It underscores the generational transfer of wealth or resources, where one generation’s efforts and investments lead to the prosperity or enjoyment of the subsequent generation. It can also imply that the fruits of labor or investments made by elders are passed down and utilized by their descendants, and I can say this phrase suits cybersecurity investment in same way.

Q10(b): How can they start building a more proactive and secure environment today?

Ans: To build a more proactive and secure environment, organizations should:

1. Conduct Risk Assessments: Identify and prioritize cybersecurity risks.
2. Implement Access Controls: Use multi-factor authentication and limit user permissions.
3. Update Software Regularly: Apply security patches and updates promptly.
4. Train Employees: Educate staff on recognizing and responding to threats.
5. Develop Incident Response Plans: Prepare and test plans for handling breaches.
6. Invest in Threat Detection: Use advanced tools for real-time threat monitoring.
7. Foster a Security Culture: Embed security practices into the organizational culture.

Conclusion: Thank you for taking the time to share your expertise with our readers. Your insights will greatly contribute to the understanding and advancement of “Why Organizations’ Leaders Invest Less in Cybersecurity, Why They Should Invest More, and What Is the Cybersecurity ROI for Companies”. We look forward to finalizing your interview and publishing it on Cybercory.com.