Business Leaders: Turn Security Investment into ActionAn open letter to corporate business leaders ready to take the next step on cybersecurity as a business imperative By: Matt Eberhart
Dear Mr. Buckley:
A recent CNBC article quoting you caught my attention, and I couldn't resist responding. In it, you note that cybersecurity is front of mind for you all the time and that it is a significant area of investment for Vanguard.
I applaud your focus on cybersecurity. Making cyber-risk management a priority for your company already puts you ahead of the game. We are experiencing a renewed executive and board level focus on cybersecurity on the heels of the Equifax breach. That focus is great if it leads to actions. My question to you and other executives focusing on cybersecurity is simple: what do you do next?
Maximize the Value of Your Security Investment
Driving a corporate focus on cybersecurity along with an investment for success is a great first step. With seemingly innumerable opportunities to invest in cybersecurity protections, what are the right investments that will yield a high return on risk reduction? And more importantly, how will you measure both your cybersecurity risk and the effectiveness of your program? Start by understanding your current cybersecurity and risk management spend and how it breaks down across these four key areas:
- Prevention – Preventing threats and actively protecting vulnerable systems
- Detection – Detecting what you cannot prevent, validating it, and prioritizing it for response
- Response – Taking actions continuously to manage risk
- Prediction – Continuously using new information to determine how you prioritize the actions you take
Investment Breakdown: Technology and Operational Targets
To demonstrate risk reduction in today's complex environment, organizations must be able to determine, prioritize, and when possible, automate the right actions. While each organization must account for its specific risks, there are some guidelines to consider to yield high return. For a Fortune 1000 organization with a dedicated security executive and an ongoing security budget (one that is separate from IT), look at your technology and operational spend as two separate investments.
In my experience, half of your technology investment should be dedicated to prevention – the less threats that breach your systems, the better. Detection and response should account for a significant portion of your remaining tech spend, with the remaining budget earmarked for prediction to help you automate actions.
Operational spend should look very different. Here, you'll account for program operations and governance. Unlike the dedicated technology spend focus on prevention, prevention should become an operational component of your response process, which requires both the right technologies and a DevOps approach to your response process. Detection and prediction will help support your response, but your operational spend should prepare you to take actions across your security, IT, and business systems and processes.
Ask Yourself This One Question Before Adopting a New Technology
Once you understand your capabilities, you can start to evaluate your program and prioritize next steps. Program operations is key and should be a focus area for your security team. We often see firms rushing to buy and implement new technologies, but technologies don't make up your program – they help support it. It's critical to have technologies that are compatible with each other and with your team who is then armed to continuously act to address risk. Our industry uses terms like defense-in-depth to remind us that we need many layers of defenses to address different threats. Historically this has been a fundamental approach, but the threat landscape has evolved, and our methodologies must adapt to this new environment. We've jumped the shark with security point solutions and have forgotten that an action must be taken in order to reduce risk. I ask a simple question of any new security technology; what threats will it prevent and how will it enable our operations team to take actions to reduce risk? If it does not actively reduce risk or quickly lead to actions that do, question the value. We all need a few instruments for situational awareness, but if they do not enable us to take an action that can be measured, they probably aren't helping to manage risk in the long term.
Cybersecurity Should Be Measured By the Return It Yields
A large part of active cyber-risk management comes down to hygiene. Understanding your environment and what actions to take to reduce the most risk is critical. This is hard and it changes every day. Building a cybersecurity program with a bias to action and visibility is of paramount importance today. Your reporting should tell you if your risk has increased because of a new vulnerability, attacker technique, or business change. It should also tell you what your security team has actively done to address the risk.
We're in a time where the field is separating between business leaders who accept cybersecurity as a business imperative and those who wait and watch. Kudos to you for demonstrating that you've made it a priority for you, your organization and your stakeholders.