November 14, 2018

Written by: Doron Sivan, CEO Cronus Cyber Technologies

With the GDPR craze and with the ongoing stories of large-scale hacks, businesses have begun to spend more and more money on cyber protection. The IT security budgets are growing to a point where they dominate the IT budgets. However, the question on everyone’s mind is “how do we know we are getting our money’s worth from all this IT security spending?” “Are we effectively managing the security costs?”

We must critically inspect whether our spending is not based on trends and personal intuitions, or simply based on what easily receive our manager’s approval. Are we truly buying what is necessary and will it support the overall business strategy? Looking back on my 20 years’ experience in IT security, most organizations do not have a real security strategy, and as a result the perceived value becomes elusive.

Below are a few tips that will help assist in focusing on what really matters and provide tangible and most of all measurable value.

1. We should try to shift our perspective from a bottom-up view, i.e. : threats to IT systems -> business processes ->organizational strategy, to a top-down one. By doing so, instead of separately analyzing every potential threat, we should start from aligning with corporate priorities and objectives and define our cybersecurity strategy in a way that supports those objectives. This way, you can intelligently invest in solutions based on the associated level of risk to the business objective. The lower the risk is, the lower would be the budget allocated to preventing or mitigating that risk.
2. We should discuss IT Security with the business units and their stakeholders to understand their business processes that need protection. The IT security should not be limited to the IT department, but also with heads of finance, operations, sales or HR. We will get a more holistic view on their business objectives and challenges, and instead of asking a general question such as “what is the effect of the index of industrial production on our manufacturing purchase?”, we should perhaps ask “are we getting the right value and outcome in our manufacturing spending?”. As soon as we factor in cybersecurity as an integral part of corporate risk management practices, every business unit will understand the importance of ensuring enough budget allocation for this.
3. Lastly, upon establishing consensus on the criticality of the correlation between organizations preparedness and its cybersecurity investments, the discussion on the cost/benefit ratio will become more valent, which directly leads to smarter investments. At this stage, it may become surprising, that purchasing more and more cyber security products is not necessarily an effective method of protection, but rather hardening the business processes and controls on security policies such as continuous threat detection and monitoring, effective vulnerability management, security infrastructure upgrades, regular penetration testing and automation of business processes.

To summarize, organizations need to look at cybersecurity first and foremost in the context of business objectives and not always in the technological context. Starting from corporate policies all the way to IT systems supporting the business goals, by defining critical assets and business processes, their accepted level of risk, and channeling security measures such as regular penetration testing and integration to defense systems in the organization such as a SIEM, will improve the organization’s ability in blocking cybersecurity threats.