KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Great. Thank you. Yeah. So as I said, my discussion would be about return on investment. And the question is how, how can we get something out of our investments in cyber security? And moreover is how can we make our CFOs CPOs and the CEOs understand what is this for this investment? I will start with with this picture. And Rosa Maria had this morning, similar picture a bit older from six years ago. This picture from Kaki shows the events, the, the cybersecurity attacks happening in a fraction of a second over Germany.
And we are having here in Germany in a year about 5 million, sorry, in a, in a, in a day about 5 million attacks, we choose compared to the number of the other attacks in, in the physical world, about 365 less. So if you guess we have here in the, in the digital world, the same number of cyber attacks as we have. So we have sorry in the physical world in one year, as we are having in one day in Germany and they are causing about 100 billion euros losses only in Germany per year, actually Germany, according to the tops between place two and place four worldwide in the most attacked countries.
So yeah, of course the first one is United States and we're having a couple of others, which we are competing with. If I can put it like this, but the question is, why is that happening? And this is happening because we, we are having a cat and mouse game basically. So on one side we are having the hackers. We have the best knowledge and they, the best tools and they know what to do, and they target us either random or they want specifically something from us.
And on the other side, we are having the company, the digital companies, which most of the cases do not have the cybersecurity as a core capability. And they rather do not know what is to do. And actually according to, to a, a quiz online made by digital guardian, over 4,000 CISOs, about 71% of, of the companies worldwide, statistically struggle to understand what are this is. But in order to understand the, is we need to understand what is the return of investment, first of all, and the return of investment.
If we would go at the point form, it's basically a split between the gains and the investments, the capital investments. So on one side, okay, we, we, we invest in some asset, but for this investment, we want to have either an income or we want to, to reduce the expenses for the hackers. This equation is quite simple.
Yeah, the, the, the, they should invest less and they should get more and more profit. It is less simple for, for the defenders. And I would go now just slightly a bit into the mathematics. I'm not gonna stay too much on this, but if we transform this in, into a mathematical equation, we see it as such the, the hackers want to maximize their net revenues, right? While minimizing the, the, the capital investment. On the other side, the, the defenders want both to minimize their variable costs with the different controls. They are investing it for, for the cybersecurity and sorry.
And they want also to variable to minimize the variable costs, which are coming from those possible losses, losses from successful cyber attacks. So this could be transformed in, into a mathematical equation, which probably is less interesting for you. And this is why I created this continuum of, of attacks. Maybe this, this shows better what is happening.
So I, I have already discussed about this cat mouse game. So basically what are the records doing and what are the, the defenders doing? And if we are looking at this graph on the, on the left side, we are seeing the, the number of threats and in the physical world, the number of threats is quite limited to the physical area where we're living.
Of course, there is some kind of yeah, possibility to move. So someone is coming from another region in our region to, to perform whatever attack, but in the digital world, these threats can be everywhere on the entire planet. So generally we can look at this number of threats, as similar to everyone into this, into this digital world. On the other side, we're having the threat capability. The threat capability is different, depending on who attacks us. It is one thing if a nation state is trying to invest our to, to attack us for whatever against they would have.
And it is a completely other thing, if a script PD who is just starting into this business is trying to attack us, and this is why we need to do a look at this as such. And we need to invest exactly as much to, to reduce this, this threat potential over our assets. Yeah. So if I look here, we, we need always to take in consideration, what is the, the risk?
I am minimizing with a specific mix of cyber security controls, whether they are tools or processes or activities that we are performing, which would minimize the, the number of threats and also which all minimize or would target the threat agents, which are really afraid for our company. And since we are here, the question is, okay, I want to minimize this risk, but what is this specific risk? And we are heading basically six types of risks. When we want to minimize the risk. We basically want to minimize the possible losses, which are generated by the accomplishment of this, of this waste.
And we are having the productivity cost. And as an example, you can think of, for example, when, when you are having an enterprise manufacturing company and your production line is stopped, then the product due to a cybersecurity attack, then you have productivity costs. There are many other examples. And you can imagine also in your company, what this could be, we have answer costs. So for example, when, when an attack is happening and this is successful, or maybe still not successful, we should try to answer to this attack. And these are answer costs.
They may be technical, but they also be, can be, can be PR costs or can be legal cost. And so on, we are having replacement costs, just a simple example. Imagine you are having an owner online shop and private information has been stolen. And among this is also credit card information. And then if you don't have an insurance, probably the credit card company will come to you and will say, you will have to pay for the replacement of the credit card. And every credit card costs between 10 and 20 years.
So these are replacement costs, but you can imagine also other things, internal manufacturing company or so on competitive advantage time, especially the nation state programs, but also other competitors are having these kind of products to steal IP from competitive competition. And if they get to your data and to your information, then this is a loss for you, the five and judgements, and the best example is GDPR, but there are many others depending on your region and area all over the world. And of course not, not least is a company reputation.
So what can we do to, to minimize the effect on the company reputation in case of a successful? So these are variable losses that we try to minimize. Okay. But also we try to minimize the investment and if we want to have a defense in depth, and we have to to think that many types of controls and today it was a very good discussion all over the day. And I enjoyed it a lot. So I believe this, this shows exactly or almost exactly what has been discussed. We are having the identification control. So we about authorization and access, and we had the last pass and log in discussion.
We're having the preventing control. And here, for example, RSA has today very good discussion on this. And also the other one, we are having the VE controls again, the a so solution here is very, very useful for this. We're having the answer and replacement cost, for example, an incident response team, but also a backup program, which would help us or the standard regulation. And we have seen today that in Germany, this is particularly more important. I believe it was in the very first feature of today.
And we are having also the communication and interfaces, which is something that is often, it is about this governance. It is about what should be done in case of an attack. Okay.
I, in order to, to resume the, to, to final or summarize the discussion, there are many type of controls, but we should think in our files, what exactly do we really need? And in my opinion, in order to have a return on investment, on a cybersecurity program, we should start first with the risk management program. We should quantify our risks based on our set and possible threats. We should look, of course, also the compliance that we, we have to perform.
And based on this identify, which is set, we have to, to secure, but is also may very important is, and it is often neglected is it is very good to have always a backup recovery mechanism. So that business continuity management that rhino has discussed in the morning, and we are having also the secure software development. This is especially important when you are buying another off the shelf product, but you are buying a product which is tailored for you, a software product, which is tailored for you.
On the other side, it is very good to have a so and threat intelligence and then identity and access management. We have seen today how good they are in minimizing this risks and with a very good investment and in the green ones, these are specific for your business needs. And you have to think of, okay, I'm in IOT and maybe I need more client security, or I may working more with data and I need information security and so on. And just to finalize, these are security controls, and they are covering processes.
They are covering covering activities and so on, but there are other activities that you can't perform without investing in a specific control. You should look at all the controls that you have already invested in.
Yeah, let's say a network firewall, a EDR solution, whatever, what are the synergies between them? How can I use them in order to cover this, this, this risk and to protect my, you should look more and more into automation.
We had a, a very good speech today about, about AI and the effect of, of the AI today. Nowadays automation will help you in exactly in covering this kind of challenges, governance. Everybody should be involved E either in the sea level in your company, but also in the supply chain or in so someone who is delivering to you or supplier or your customer. So you need to, to discuss openly with your customers, with your suppliers about this risk.
Also something that is often neglected is the contact management people, especially in the technical area, are not aware about the contact, about the stipulation in the contact about the SLAs. And these are set. These are important information about the assets and how you manage those assets. And last but not, these are the insurances. When you initiate those risks in a, in a good way, then there are storage. The insurances are basically the cherry on the top will completely make your company secure and prepared for, for a cybersecurity data. Okay. That was from my side.
Hopefully I, I tried to be in time because I know we had that three, 3:00 PM or stop CT.
