Investments in cybersecurity: The five mistakes that prevent the CISO from being successful

Thiago N. Felippe, CEO of Aiqon, outlines five mistakes that prevent CISOs from making successful cybersecurity investments.

Organizations already know they have been attacked, their systems breached and critical data leaked. This reality, according to Gartner, explains why the global market is investing US$4.3 billion in cybersecurity in 2024.

It’s a staggering figure, but it doesn’t come close to the losses caused by digital attacks: US$9.5 trillion in 2024, according to a study by Cybersecurity Ventures. Another report from Gartner indicates that this year, many CIOs intend to increase spending on digital security solutions and services by 80%.

The complexity of Brazil’s digital economy is such that the desire to invest does not guarantee achieving the expected results with the implementation of new security solutions. A global analysis conducted in early 2024 indicates that 95% of organizations have postponed putting new cybersecurity projects into production. Especially when the solution is disruptive, 36% of projects experience failures during the development phase.

Behind these statistics are errors that require correction before the acquisition and implementation of cybersecurity solutions are realized.

1. Lack of alignment with the business and process failures. According to the World Economic Forum Global Cybersecurity Outlook 2024 – a study based on interviews with 199 IT and security leaders from global companies – the biggest impediment to the success of cybersecurity projects is transforming legacy systems and continuously updating business processes. To avoid these pitfalls, it is essential for the organization to have clarity about its processes and its level of digital maturity. It is up to the CISO to thoroughly understand the company’s value chain, identify critical business processes, and then build a picture that reveals the digital nature of this universe. Through hiring a consultancy or utilizing internal resources, it is possible to measure the company’s digital maturity based on market benchmarks such as NIST (National Institute of Standards and Technology). While ISO 27001 has 127 controls to be checked, NIST is organized into 23 categories and 108 subcategories. One of the most critical criteria concerns the organization’s sensitive data. Another important tool is the TOGAF framework (The Open Group Architecture Framework). This platform aligns the user company’s main processes with the technology elements that support these workflows, indicating the degree of alignment between these two universes. This preliminary assessment helps the CISO clearly see the company’s level of digital maturity and then design a roadmap for new cybersecurity acquisitions according to the organization’s actual needs. Without completing this step, the CISO may end up acquiring solutions that are market trends but do not always meet the demands of the user company.
2. Absence of an ITDI and an ISDI. Organizations that cannot plan adequately are doomed to live from one surprise to another, without governance, without strategic planning. It is in this context that the Information Technology Master Plan (ITDI) and the Information Security Master Plan (ISDI) come into play. Based on the mapping of processes and business needs, essential plans are developed to justify, before the board, the IT and security budget. It becomes easier to prove, through ROI calculations, the impact of the cybersecurity solution on the company’s business performance. It is this positioning that will help the CISO obtain approval for projects capable of effectively protecting the current and future processes (innovation) that support the company’s value chain.
3. Problems with change management. By its very nature, each new security project will impact the company’s employees and customers’ routines. It is essential, before implementation begins, to gain the engagement of sponsors and stakeholders – in many cases, the business areas – before deploying the technology. Delicate communication work is necessary. In this context, the cybersecurity team will have to balance the intervention of the new solution with business demands, which cannot be hindered by the new technology acquired by the CISO.
4. Lack of integration between technical teams. The introduction of a new cybersecurity solution will inevitably affect the infrastructure and network areas. That is: change management also involves assessing the impact of the new offering on the company’s ‘n’ environments. The challenge is to ensure that diverse teams, evaluated based on varied KPIs, work together to make the new security technology beneficial for infrastructure managers as well. Those who achieve this cohesion will gain speed in innovating their digital processes securely.
5. Outdated technical knowledge of the security team. The complexity of companies’ digital environments is indeed challenging. A study released last year revealed that worldwide, 85% of companies operate both legacy and modern applications – of this total, 20% use up to six different cloud environments. Meanwhile, digital gangs work 24×7 to exploit vulnerabilities and launch new scams and frauds. Faced with this scenario, it is essential for the technical team to receive incentives to continuously study new technologies and threats.

Those who manage to address these challenges will achieve tangible advantages. According to Accenture’s 2023 State of Cybersecurity Resilience study, companies that effectively align technology with business, update their processes, and continuously invest in the training of both cybersecurity professionals and users/consumers have something to celebrate. These organizations are referred to by Accenture analysts as ‘Cybertransformers’ and stand out for reducing breach-related losses by 26%, as well as having an 18% higher chance of increasing their revenue.

Zero Trust approach applied to technology selection

This type of advancement requires a new mindset from CIOs and CISOs. It’s time to apply the ‘Zero Trust’ concept to the selection of new security solutions for the company. Just as in ZTNA, where all access is under scrutiny and must be checked to be granted, it’s worth looking at market options skeptically.

The goal is to go beyond research institute recommendations and conduct tailored PoCs and PoVs for the company’s digital maturity. And in this process, to question everything, verify each promise, perform critical tests and listen to testimonials from other CISOs. The result of this approach will be a choice, purchase and implementation process of cybersecurity with fewer errors, entirely based on facts. It’s a way to ensure that the investment made at the CISO’s direction in new technologies always ends successfully.