Cybersecurity spending is ever-increasing. Gartner estimated that cybersecurity spending in 2022 totaled about $172.5 billion, up more than 12% from 2021. 1At the same time, breaches have never been more prevalent or damaging. From high-profile breaches at LinkedIn and the Brazilian government to the aftermath of Log4shell, it’s become evident that our traditional technology-centric approach to cybersecurity isn’t working. Success requires an innovative approach that takes into account individual and team preparedness and resilience.
Investments continue to pour into cybersecurity. Sixty-nine percent of organisations predict a rise in cyber spending in 2022 compared to 55% last year. More than a quarter (26%) predict cyber spending hikes of 10% or more; only 8% percent said that last year.
Organisations know that risks are increasing. More than 50% expect a surge in reportable incidents next year above 2021 levels.2
– PwC 2022 Global Digital Trust Insights Survey
Technology alone will never solve our problem
Organizations often think of defense in terms of technology. From next-generation firewalls to the latest XDR, SASE, CSPM, SAST/DAST/IAST solutions, there is a natural inclination to throw more money at the problem. This is understandable. Each of these tools has a clear role to play as part of a layered defense, but they all have one thing in common: the perception that they alone will make the organization safer. This has turned out to not be the case. In a continuous security arms race, we will never have enough technology to solve our problem and there is a clear reason why: cybersecurity is ultimately about people and teams.
“The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.”
– Verizon Data Breach Investigations Report 2022
“Only amateurs attack machines; professionals target people.”
– Bruce Schneier 3
Think in terms of teams
Many organizations approach the “people” side of cybersecurity with a checkbox mentality. They provide a training platform and call it a day. It’s time to stop pretending that investments in technology and legacy training are enough to provide an adequate defense.
Instead of thinking about the human element of cybersecurity as being about individuals, think about it instead in terms of teams. There are multiple roles that teams play in the organization, from understanding and responding to risk at the C-level to security teams waiting to respond to the next log4shell. Employees across the company are challenged by phishing and even social engineering attacks. Within each team are people with unique strengths and weaknesses. Cybersecurity leaders need to understand how they will impact their organization’s resilience in the event of a real-world incident.
You are going to be breached. This is the unfortunate reality for any organization in 2023. The key question to consider is this: how do I know if we’re prepared? The answer to this question requires more than a spreadsheet of training scores. In order to understand how teams will perform in a cybersecurity incident or crisis, people and teams need to be tested using realistic scenarios that simulate a real-world threat.
The path forward
With the economic headwinds facing us in the second half of 2022 and beyond, throwing more money at traditional cybersecurity solutions is a losing proposition. But there is a way forward:
- Make the most of your investments by ensuring that they will be used effectively both prior to and in the event of a crisis.
- Understand how your people and teams will work together and where their strengths and weaknesses lie.
- Fill those gaps and continuously exercise your teams until you can prove that they will be resilient in the fact of growing cyber threats. This requires realistic simulations of cybersecurity crises and incidents that span from techs to execs.
This approach is no longer optional. Company boards and customers are requiring visibility into cybersecurity risks and demanding proof of resilience. Governments are enforcing standards that would have been unthinkable a few years ago and regulations are only growing more complex. We can no longer spend our way out of our cybersecurity challenges.
But with the right mindset that takes into account the human element and approach to cybersecurity, we can make the most of our investments while measurably reducing risk.
