Driving Cybersecurity Performance is the latest global research initiative to be released by ESI ThoughtLab, Econsult Solutions' thought leadership arm. The study includes an in-depth global survey of CISOs in companies spanning the Americas, Europe, and Asia Pacific and represents firms of varying sizes, from $50 million to over $50 billion in revenue. Full findings are now publicly available by visiting the Driving Cybersecurity Performance microsite.

ESI ThoughtLab would like to give special thanks to our program sponsors including Verizon Business, KnowBe4, Arceo.ai, Optiv, Fiserv, Check Point Software Technologies and Cowbell Cyber. Without their active participation on our advisory board, and in-depth knowledge of cybersecurity best practices, this program would not have been possible.

Digital innovation is a double-edged sword: while essential for driving performance in today's interconnected world, it exposes firms to greater cybersecurity risks. Although firms have made major improvements in cybersecurity, there is more to be done. CISOs need to revise their cybersecurity strategies to encompass proactive prevention along with a deep understanding of the risks their companies face and the heightened nature of today's sophisticated cyberattacks. To help CISOs do that, ESI ThoughtLab worked with a coalition of cybersecurity, cyber insurance, and technology experts from leading companies and associations to answer a central question: How can firms drive the best cybersecurity performance in today's complex digital world?

To conduct the cybersecurity analysis, ESI ThoughtLab's team of economists and digital specialists used a rigorous, mixed-methods research approach that included the following elements:

• A cross-industry survey of 1,009 companiesto collect internal cybersecurity benchmarking data and insights into their cybersecurity approaches and results.
• Cost-benefit analysisto quantify the full direct and indirect impacts of cybersecurity investments and strategies on costs and revenue.
• ROI modelingto measure the impact of cybersecurity investments on risk probabilities and reduction in the number and size of losses.
• Quantitative correlations of cybersecurity data provided by Verizon Business, split by company, with our survey output to provide another lens for analyzing effectiveness and maturity.
• Input from a high-level advisory boardof industry executives and cybersecurity experts to shape the research agenda, analyze the survey results, and validate the research findings.
• In-depth interviews with 20 cybersecurity thought leaders, including CISOs and other senior executives across industries as well as cybersecurity experts from around the world.

ESI ThoughtLab's study of 1,009 worldwide firms in 13 industries found that CISOs, on average, gain a massive ROI of 179% on their digital investments. To achieve these returns, CISOs need to construct resilient cybersecurity programs built around evidence-based analysis and a deep understanding of the evolving risks they face.

The rise in cybersecurity investment

Digital transformation continues to expose companies to new risks and vulnerabilities as they adopt emerging technologies, digital processes, and new business models. The COVID-19 pandemic is accelerating these trends as companies embrace remote working and rethink supply chains, while consumers ramp up their use of digital shopping and banking, as well as remote medicine, communication, and entertainment.

To cope, companies are investing more in cybersecurity, with an average increase of 12% in 2019 and 14% targeted for 2020, although these budgets may change as the pandemic plays out. In 2019, the companies in our sample spent about $9.6 million each on cybersecurity, about $515 per employee. Cybersecurity leaders, those firms most advanced in cybersecurity effectiveness and compliance, spent far more: $15 million, or about $618 per employee. The largest share of investment budgets went to technology (39%), followed by people (32%) and process (28%). This spending pattern held relatively constant across companies of different sizes, industries, and cybersecurity maturity.

The payback on cybersecurity

On average, firms see an overall ROI of 179% from their cybersecurity investments. That means that every dollar of investment generates almost $2 in benefits. ROI on investments range from 271% for investments in people, to 156% for process, and 129% for technology. The least cyber-mature firms recognize the highest ROI, since they have more to gain. Companies experience diminishing returns as they become more cyber mature. In all, the additional cybersecurity spending last year by the 1,009 firms we surveyed—which amounted to $1.4 billion—has enabled them to reduce their combined potential losses by an estimated $3.9 billion.

Companies need to do more

Despite their investments, our survey respondents lost $4.1 billion from cyberattacks in the most recent year, an average of $4.1 million per firm. The losses stemmed from 28,100 successful breaches, averaging about $330,000 per breach. While the lion's share of these breaches were minor (meaning they affected only a small number of people and machines), about 20% of breaches were moderate and about 1% were material, defined as generating a substantial loss and requiring disclosure. Insurance and financial firms suffered the most attacks, and financial, retail, hospitality, and automotive firms sustained a disproportionate number of material breaches.

Even before the COVID-19 pandemic, the greatest losses came from malware (66%), phishing/social engineering (60%), and password/credential reuse (49%). Cyber criminals were seen to be the biggest threat actors. As business goes more digital over the next two years, executives also expect an increase in attacks through artificial intelligence (38%), denial of service (34%), and web applications (29%). With geopolitical and social unrest growing, and greater economic volatility ahead, firms are bracing for a rise in cyber terrorism and attacks from nation-states. For many CISOs, the challenge will be how to do more, with potentially less, if budgets are streamlined for the post-pandemic aftermath.

Taking cybersecurity to the next level

Adding to the complexity, companies have tended to underestimate their exposure to breaches. While the average firm in our study assigns a 45% probability to experiencing a moderate or material breach in 2020, our analysis shows a much higher probability, ranging from 62% to 86%.

To reduce risk probabilities, CISOs must go well beyond compliance with cybersecurity frameworks, such as NIST, ISO, and others. For example, only 64 of 151 companies (42%) that evaluated themselves as NIST compliant are rated as being leaders in their cybersecurity practices in the study. Rather than applying NIST as a box-ticking exercise, cybersecurity leaders need to better align such frameworks with their business goals, strategies, and individual risk profiles. Cybersecurity leaders also combine analysis from advanced quantitative tools and input from internal business partners and third-party experts to make the best decisions.

Best Practices of Cybersecurity Leaders

• Continuously up their game. Because they are in an arm's race with cyber criminals, CISOs need to keep their cybersecurity programs ahead of the curve. To do this, leaders spend about 25% more than others on cybersecurity per employee, increase those investments each year more than the average, and invest more in recruiting specialists, working with consultants, and training, such as end-user security awareness training with simulated phishing.
• Make cybersecurity hygiene a top priority. Leaders have the lowest percentage of unpatched "critical" or "high" vulnerabilities based on CVSS scores (18% for leaders vs. 28% for others). They also do more frequent backup restoration drills (5.6 times a year vs. 4.3 for non-leaders) and IT infrastructure scans (4.9 vs. 3.8), and more phishing tests (5.1 vs. 4.4).
• Keep management teams focused and aligned. Cybersecurity heads typically report into the CEO, COO, or the Board in leader companies. CISOs at these firms focus more on security than IT (75% of leaders) and play a bigger role in digital transformation (57%), managing data privacy (54%), and operational resiliency (49%). They are more likely to have two executives share responsibility for cybersecurity, such as the CIO and CISO, or the CISO and CSO.
• Rely heavily on advanced analytics and specialized teams. More than 8 out of 10 leaders conduct cyber-risk scenario analysis, assess the financial impact of risk events, and measure the effects of mechanisms to mitigate cyber risks. Leaders also outsource incident response, red team, risk management, and security ops more often than others.
• Extract greater value from cybersecurity tools. Leaders invest more in—and get greater effectiveness from—key cybersecurity technologies, including cloud workload security, endpoint detection, mobile device management, deception technology, email filtering, multi-factor authentication, and firewalls and web filtering.
• Gain greater value from cybersecurity insurance. Leaders rely more on insurance to transfer risk: 57% have cyber insurance coverage over $10 million, versus 30% of non-leaders. Overall, 60% of firms plan to spend more on insurance over the next two years. While more than half believe that insurance is well worth the cost, the share is even greater for leaders (68%).

During his more than 35 years of research, marketing and publishing work, Lou Celi has helped top organizations build their businesses by engaging corporate and government decision makers. Prior to setting up ESI ThoughtLab, Mr. Celi was board director and president of Oxford Economics, where he built the firm's successful business in the Americas and set up its global thought leadership practice.

Daniel Miles is the Chief Economist for ESI ThoughtLab, Econsult Solutions' thought leadership arm. Prior to joining ESI, Dr. Miles was a senior economist in the New York office of Oxford Economics where he led a multinational team of economists based in New York, Belfast and London.