According to the above-mentioned PwC survey, as many as 91% of the respondents have adopted a risk-based cybersecurity framework, such as ISO 27001 or NIST Cybersecurity Framework. However, as we can see from the numbers - "adoption" does not necessarily mean proper implementation and maintenance of the framework. External experts and partners, company employees and top management should all participate in risk identification and cybersecurity knowledge sharing. Otherwise, you may overlook critical risks, or mitigate wrong risks spending money on something you don't need.
Risks should be carefully and continuously monitored and re-assessed before spending any money on new defensive technologies against emerging threats that are quite often exaggerated by vendors, or just not applicable to the corporate IT infrastructure.
Jan Schreuder, Partner, cybersecurity leader from PwC Switzerland comments: "We are also seeing that many organizations are investing in security technologies without first having the people with the skills to properly implement or operate those technologies. Investing in improved cybersecurity capabilities starts with people - recruiting and training people with the right skills, or getting access to them through a service provider. When you have the right people in place the return from your investment in security technologies increases exponentially, in the form of risk reduction or enablement of your business. In my view the most effective security teams have "smart people with smart tools" - without the smart people the tools will never be that smart."
Therefore, if we don't want the cybersecurity bubble to burst, we should first think which risk a particular cybersecurity product or solution mitigates, then ask ourselves if all the risks with higher priority have been already addressed, and only after, we should start conducting an RFP to select the most competitive product on the market. Otherwise, you're pouring money down the drain.
Sign up for CIO Asia eNewsletters.