Enterprises are spending billions to reduce digital risk, yet cybercrime keeps growing. Why is cybersecurity not changing the situation? The problem isn’t with technology but with selling more security software without aligning them to business risks.
In early July, online criminals posted a text file to cybercrime channels that contained nearly 10 billion passwords collected from cyber breaches across the internet. Yet, neither the number of passwords nor the files’ existence is a surprise. Instead, it’s become a recurring event: in 2021, a similar text file exposed over 8 billion accounts.
Such incidents prompt scepticism on whether cybersecurity is working. There seems to be little correlation between what the world spends on security and reducing cybercrime. While the global cybersecurity market has grown from US$ 83.32 billion in 2016 to US$185.69 billion today, cybercrime’s cost to economies ballooned from US$800 billion in 2016 to US$9.22 trillion in 2024.
Is cybersecurity working? It’s a complicated answer, says Gerhard Swart, Chief Technology Officer at cybersecurity company Performanta. “If we measure success on an individual company level, then many examples of cybersecurity work very well. However, there are many more targets out there, and criminals keep adapting because cybercrime is a very lucrative and easy criminal career. Still, cybersecurity does work. The question should be whether companies get enough value from their cybersecurity investments. And the answer is no.”
Sales over value
Low value from security investments often means poor security. The cybersecurity market has developed a habit of confusing value with sales. When a company encounters a cyber risk, such as a breach attempt, the tendency is to look for an answer to close that gap – and the most common response from cybersecurity providers is to sell another product to them.
“The cybersecurity market has a sickness – it wants to sell, sell, and sell,” says Swart. “If a business comes across a security risk, they often think they lack something in their defence strategy. They are usually offered a new solution for a specific problem when they consult with the market. But this creates more technical debt when you don’t combine your security and align it with business priorities.”
No single piece of software can address a cyber risk. For example, a company might want to mitigate data leakage, so it adds data leakage protection (DLP) software. This action is sensible since DLP software can stop data from disappearing. However, that company also uses a central information hub like Microsoft SharePoint or Google Workspace.
Has that software been configured correctly, and does it collaborate with the DLP software to ensure data security? What about user accounts? Have they been checked to limit unnecessary permissions that criminals could exploit? And what is the status of system patching?
“Good security comes from good integration, processes, and management,” says Swart. “If you just keep adding new software without following those principles, you’re creating new gaps that lead to cyber risks.”
The cybersecurity market’s focus on reducing digital risk by selling more software is counteractive. Swart says: “If you’ve been investing in cybersecurity for a few years and are still dealing with big risks, you likely already have the tools to reduce those risks. You need to consolidate your management of those security systems and get them to work together. Most crucially, the business must own these programmes. You won’t get what you need if you just pass it along as an IT project.”
Safety through risk mitigation
When companies treat security as primarily an IT issue, they undermine themselves. IT-focused security will reflexively deal with IT-related security issues, not business-related risks. Security won’t be reinforced by good data governance or security-aware employees. It also wastes money because security efforts will try to cover everything rather than prioritise the biggest business risks.
“If you analyse your data risks and discover that ten percent of that data is very critical, and you focus most of your resources on addressing those risks, you’ll spend a lot less and still reduce most of your biggest risks,” says Swart. “The ability to focus your cybersecurity efforts makes an enormous difference, and that’s what’s lacking when the market emphasises selling new solutions to address security events. You end up with sprawling, reactive, and slow security.”
When companies understand and prioritise according to business risks, they build the three pillars of good modern cybersecurity: fast responses to incidents, clear command and control over all cybersecurity services, and proactive/pre-emptive security tactics. New security frameworks, specifically Gartner’s Continuous Threat Exposure Management (CTEM), show how to focus security on the right risks. There is also an emerging trend of security services focusing on unifying and integrating existing security environments rather than piling on more products, such as Performanta’s SafeXDR.
“Increasingly, the way to get proper value from security is through a programme to use your technology better, reduce your technical debt, and, above all, reduce redundancy and leave more cash for you,” says Swart. “Yes, that’s selling a new solution. But the difference is that these programmes don’t address another gap. They consolidate what you have and align it with your risks, which is what’s been missing and why cybercriminals keep thriving despite all the money spent to stop them.”