November 14, 2018
Written by: Doron Sivan, CEO Cronus Cyber Technologies
With the GDPR craze and with the ongoing stories of large-scale hacks, businesses have begun to spend more and more money on cyber protection. The IT security budgets are growing to a point where they dominate the IT budgets. However, the question on everyone’s mind is “how do we know we are getting our money’s worth from all this IT security spending?” “Are we effectively managing the security costs?”
We must critically inspect whether our spending is not based on trends and personal intuitions, or simply based on what easily receive our manager’s approval. Are we truly buying what is necessary and will it support the overall business strategy? Looking back on my 20 years’ experience in IT security, most organizations do not have a real security strategy, and as a result the perceived value becomes elusive.
Below are a few tips that will help assist in focusing on what really matters and provide tangible and most of all measurable value.
- We should try to shift our perspective from a bottom-up view, i.e. : threats to IT systems -> business processes ->organizational strategy, to a top-down one. By doing so, instead of separately analyzing every potential threat, we should start from aligning with corporate priorities and objectives and define our cybersecurity strategy in a way that supports those objectives. This way, you can intelligently invest in solutions based on the associated level of risk to the business objective. The lower the risk is, the lower would be the budget allocated to preventing or mitigating that risk.
- We should discuss IT Security with the business units and their stakeholders to understand their business processes that need protection. The IT security should not be limited to the IT department, but also with heads of finance, operations, sales or HR. We will get a more holistic view on their business objectives and challenges, and instead of asking a general question such as “what is the effect of the index of industrial production on our manufacturing purchase?”, we should perhaps ask “are we getting the right value and outcome in our manufacturing spending?”. As soon as we factor in cybersecurity as an integral part of corporate risk management practices, every business unit will understand the importance of ensuring enough budget allocation for this.
- Lastly, upon establishing consensus on the criticality of the correlation between organizations preparedness and its cybersecurity investments, the discussion on the cost/benefit ratio will become more valent, which directly leads to smarter investments. At this stage, it may become surprising, that purchasing more and more cyber security products is not necessarily an effective method of protection, but rather hardening the business processes and controls on security policies such as continuous threat detection and monitoring, effective vulnerability management, security infrastructure upgrades, regular penetration testing and automation of business processes.
To summarize, organizations need to look at cybersecurity first and foremost in the context of business objectives and not always in the technological context. Starting from corporate policies all the way to IT systems supporting the business goals, by defining critical assets and business processes, their accepted level of risk, and channeling security measures such as regular penetration testing and integration to defense systems in the organization such as a SIEM, will improve the organization’s ability in blocking cybersecurity threats.
Find us on Facebook
- Watch Cronus live TV interview on i24 News April 9 2017
- Watch Cronus live on ILTV to discuss Automated Penetration Testing March 20 2017
- Leader in Automated Penetration Testing Cronus is approved for Delivery of Ethical Penetration Testing Services by CREST May 3 2017
- Cronus Cyber’s CyBot product suite is certified as CVE compatible! January 2 2017
- Cronus Releases New Versions for the CyBot Pro and Enterprise Solutions August 4 2016
- What is the actual value of IT security spending? November 14 2018
- Visit Cronus Cyber at CyberTech 2018 Tel Aviv January 15 2018
- Cronus Cyber Technologies Named 2017 Cyber Defense Magazine Cyber Security Leader October 8 2017
- Cronus wins the 2017 Cyber Security TeXchange Award August 14 2017
- Cronus and WannaCry May 18 2017