One explanation: for many organizations and cybersecurity professionals, the study of the return on investment (ROI) of cybersecurity remains complex. It's often taboo for the current generation of CISOs, who still rarely have the codes of the financial domain. Moreover, while current cyber methods are very good at assessing risks at the level of an application or IS project, they do not easily pass the test of a group scale.
How many companies have evaluated the ROI of their cyber? There is no reassuring standard today for conducting this complex exercise. Combining financial, HR, marketing and, of course, cyber expertise, it is a know-how that is not widely shared. Unlike the handling of technical or compliance aspects, it is difficult to entrust this exercise to inexperienced profiles. The consequence is brutal. It would not be acceptable in many other business contexts:
Regarding the volume of cyber efforts, and their thematic distribution, no one knows if the company is over- or under-qualified.
Before the National Assembly, in June 2021, Guillaume Poupard, Director General of the ANSSI (National Agency for Information Systems Security) declared: _France wants to be a powerhouse in cybersecurity, but given those against whom we are fighting, the disproportionality of means makes it essential to use our resources well. In this respect, I constantly remind my teams that inefficiency is not conceivable. This approach applies internally as well as with all our public and private partners at the national and European levels.
At every level, the proper use of cyber resources is therefore key. But to assess this use, we need objective criteria. Unfortunately, these objective criteria are not widely shared. Even though studies exist and practices are too rare.
However, we must recognize that many companies already know whether they are in cyber compliance or, on the contrary, the "best in class" in their field. Thanks to auditing, internal and external, insurers, authorities and regulations of all kinds, which are putting increasing pressure on the cyber topic. And thanks to analyst firms such as Gartner, companies have benchmarks that allow them to compare themselves to their peers. This is a step toward mastering the cyber subject.
Yet, for cybercriminals and cyber spies, it doesn't matter if a company is compliant or not. Neither does a ranking of the best "cyber" students. All that matters is the purpose and the path of attack.