2024 has certainly been eventful. The exponential rise of cyber security breaches has meant that the global average cost of a data breach has reached $4.93 million, with breaches involving sensitive customer data like personally identifiable information (PII) costing even more. Amongst the heaviest losers has been the healthcare sector, remaining the most expensive industry for breaches, with an average cost of $9.77 million per incident, despite a slight reduction from the previous year.
In fact, in recent research by Howden, the London-based insurance intermediary group, they reported that cyber-attacks cost U.K. businesses approximately £44 billion in lost revenue over the past five years.
Our own research released a month ago unearthed that 88% of professionals we surveyed are dissatisfied with the tools they had in place to provide the cyber risk oversight they needed.
In contrast, regulatory compliance is attempting to react and tighten regulation around continuous monitoring and being able to have full visibility into an organisations ecosystem to proactively respond to these threats.
Thus, tools like continuous controls monitoring are no longer a nice to have, they have become a must have, in order to counter-act the current landscape that shows no sign of changing.
The Current Landscape: What’s at Stake in 2025?
Let’s be clear, cyber threat is not going to decrease, it’s going to increase.
There is increased threat at every level, from the most basic phishing link in emails to deep fake AI spear phishing – cyber-attacks know no bounds.
To counter act this, regulatory compliance is now dictating that continual monitoring is needed to ensure that an organisations cyber risk posture is constantly monitored to ensure that an accurate reality can be portrayed at all times, counteracted with a strong regulatory desire to focus on automation to solve these threats, in particular in focusing on operational resilience and a crackdown on third party risk. The Digital Operational Resilience Act (DORA) in Europe and the UK’s own FCA Operational Resilience Act focusing on financial institutions is a start, but this is expected to expand into all sectors in 2025.
So organisations will need to embrace the regulatory demands when the global average cost of non-compliance is $14.82 million (including fines, legal fees, downtime and reputational damage). Breach costs alone average $4.93 million per incident, with healthcare and financial sectors being the most expensive.
Organisations simply cannot ignore any longer what needs to be done.
Business Drivers for CCM in 2025 Budgets
-
The Constant Cyber Risks
- Ransomware Evolution: Ransomware continues to be a major issue, with tactics such as Ransomware-as-a-Service (RaaS) making it accessible to less-skilled attackers. “Double extortion” tactics, where attackers encrypt data and threaten to release it publicly, add significant pressure. These attacks are increasingly targeting critical infrastructure like utilities and healthcare systems.
- AI-Powered Threats: Cyber criminals are leveraging artificial intelligence to enhance their attacks. Deepfake technology is being used for advanced social engineering schemes and AI is generating hyper-personalised phishing emails that are hard to detect. Additionally, machine learning is automating vulnerability discovery and exploitation.
- IoT Security Risks: The growing number of Internet of Things (IoT) devices is expanding the attack surface for cyber criminals. These devices often lack robust security measures, making them easy targets for exploitation. As IoT adoption increases, securing these devices becomes critical.
- Sophisticated Social Engineering: Attackers are using more refined techniques to manipulate individuals into compromising their systems. This includes phishing campaigns and other tactics designed to exploit human vulnerabilities.
- Supply Chain and Third-Party Risks: Many cyber-attacks now exploit vulnerabilities in supply chains or third-party systems where security measures are often less stringent. This can lead to significant disruptions and data breaches.
-
Regulatory Pressures
- DORA and the UK’s Operational Resilience Act both have a January deadline of compliance. PCI DSS V4.0 is due for full compliance by March 2025. This is going to be a challenge for financial institutions.
- Regulatory compliance is now starting to demand that organisations continually monitor their cyber ecosystem, with NIST, ISO and DORA all demanding this. But also, regulations such as Cybersecurity Maturity Model Certification (CMMC) 2.0 and SEC (US focused) are also demanding the same.
-
Financial Impact
-
- Fines and penalties for non-compliance are going to hurt. As already mentioned, the global average cost for non-compliance is around $14.82 million (including fines, legal fees, downtime, and reputational damage) with the breach alone costing on average $4.93 million per incident
-
Proactive Compliance Investment: The annual average investment in proactive security and monitoring
-
- Average annual investment in proactive security and monitoring: $3–$5 million for medium to large organisations. However, this cost includes continuous controls monitoring, automation tools, staff training, and compliance audits. Source: IBM Newsroom. This means, on average, proactive compliance costs 1/3 of the cost of potential penalties and recovery costs.
- QO’s own research discovered that C Suite leaders are spending on average 60 hours a year alone without factoring in the time it takes for an entire team to gather information on regulatory compliance, so the salary cost along with time saved is transforming operational costs for those that have implemented CCM.
- Operational Efficiency
Real-time monitoring boosts operational efficiency by automating many tasks that would otherwise require manual intervention. This reduces the workload on IT and security teams while improving collaboration, as both departments can access the same insights and data simultaneously. The integration of real-time systems allows for quicker decision-making, especially during incidents, as security teams can respond immediately to threats. This not only accelerates threat mitigation but also helps in maintaining a more co-ordinated and effective security posture across the organisation. By bridging gaps between teams and providing immediate insights, businesses can reduce response times and improve overall resilience.
- Strategic Advantage
Implementing proactive cybersecurity measures, such as continuous monitoring, significantly strengthens client and stakeholder trust. Organisations that prioritise cyber security demonstrate their commitment to protecting sensitive data, which can differentiate them from competitors. This not only enhances their reputation but also positions them as industry leaders in security. By actively managing risks and responding swiftly to threats, companies can foster long-term relationships with clients who value security, which becomes a key factor in business growth and market positioning
- Debunking Budgeting Myths About CCM
- “We can’t afford it”
- “We’re already compliant”
- “It’s too complex to implement
There are several myths about Continuous Controls Monitoring (CCM) that can hinder organisations from adopting it. One common misconception is that “we can’t afford it,” but the cost of ignoring cybersecurity risks far outweighs the investment in proactive monitoring. Data breaches and downtime can result in millions of dollars in fines, legal fees and reputational damage, proving that the price of inaction is far steeper.
Another myth is “we’re already compliant,” but compliance doesn’t equate to resilience. Organisations can be compliant yet still vulnerable to evolving cyber threats.
Lastly, the idea that “it’s too complex to implement” is no longer valid, as modern CCM solutions are scalable, user-friendly and designed to integrate seamlessly into existing systems, making them accessible to organisations of all sizes.
- Building a Compelling Business Case for CCM
Building a compelling business case for Continuous Controls Monitoring (CCM) requires demonstrating its value through key performance indicators (KPIs) and key risk indicators (KRIs), real-world case studies, and budget-friendly approaches.
- KPIs and KRIs: CCM can significantly reduce the time it takes to detect and respond to security incidents, enhancing operational efficiency. By leveraging real-time data, organisations can swiftly identify vulnerabilities and mitigate risks, minimising damage. Additionally, CCM leads to fewer audit findings by ensuring continuous, automated compliance checks, resulting in better control adherence across the organisation. These indicators can directly correlate with lower operational costs and reduced fines for non-compliance.
- Budget-Friendly Approaches: Starting small with a targeted implementation is a practical and budget-friendly approach. Organisations can begin by monitoring the most critical controls and expand as resources allow. Many modern CCM solutions are scalable, meaning they can grow alongside an organisation’s needs. This approach not only minimises upfront costs but also ensures that businesses can see measurable improvements in security and compliance before scaling to a broader implementation.
By focusing on these areas, businesses can demonstrate the clear benefits of CCM, not just from a risk management standpoint, but as a driver of operational efficiency and long-term cost savings
Preparing for a Secure Future
Now is the time to prioritise Continuous Controls Monitoring into your 2025 budget planning.
In a world of evolving threats that are implementing our business ecosystems daily, continuous controls monitoring isn’t “just” another tool – it’s your organisations shield.