Making a Strategic Investment in CybersecurityKnowing the Cybersecurity Risks Specific to Your Company and Industry By: SecureWorks
The majority of business leaders base their budget on current capabilities, adjusted incrementally for growth and new ventures.AS SEEN IN HARVARD BUSINESS REVIEW, NOV. 2015
For mature functions like accounting, which has been around since the Phoenicians first traded on the Mediterranean, this works just fine. You have three accountants to keep track of 100 ships, and when you add 100 more ships, you need three more accountants. The radically new and evolving field of information security, on the other hand, needs a different approach. Regardless of the industry, we see organizations attempting to advance their information security capabilities incrementally, based on their current and past security spend. This is usually a big mistake.
Information security has been largely ignored by business leaders for most of its existence and has always lagged the threats. At best, companies selected “a percentage of IT budget” and continued to revisit that percentage year after year without considering the company’s threat landscape. At worst, spending has been determined in a reactionary way, where security capabilities have been built up over time as a series of narrowly defined reactions and point solutions to address the most recent challenge. Rather than budgeting against a specific strategy for risk mitigation, IT teams scrambled for whatever budget could be found to put out a new fire. Invariably, this meant buying some technology to address the problem du jour. There was no long-term measurable plan. The budget wasn’t rationalized against the company’s top risks and tolerance. Or if there was a plan, it was developed as an afterthought.
Hopefully, no other part of your business budget cycle works this way. Leading practice in today’s environment is to take a risk-measured, zero-based budget approach to information security. Businesses are more aware than ever of the cyber threat and the enterprise risk it poses to reputation and the bottom line. So now it is time to get out a blank piece of paper and list your current security spend. Then carefully build a multi-year strategy and budget that serve the cyber risk landscape for your particular business.
Where do you start?
Know the top 10 risks specific to your company and industry. Third-party threat analysis can help. Your investment should also be based on the maturity of your security program. A fully deployed program will have four key elements: the ability to predict the adversary’s capabilities and tactics, defend where possible, detect what gets through, and respond quickly. Because breaches are inevitable, it’s no longer acceptable to operate without applying threat intelligence to identify the adversaries, anticipate how they move in our systems, and remove them quickly. Finally, to be effective, each of those capabilities relies on skilled people following well-designed processes.
Is your company’s information security program organized and resourced in this way? If not, your program is not fully deployed, and you have more reason than ever to reject historical fiction and begin anew with a strategic budgeting process.
Only 18% of IT security professionals believe their company’s cybersecurity program is in a “mature” stage.
- PONEMON 2015 GLOBAL STUDY ON IT SECURITY SPENDING & INVESTMENTS