Security was once mysterious, but everyone is far more aware and connected today than they used to be—and that translates into a greater level of understanding and acceptance. With good reason, security breaches or failure to comply with regulations can result in a big hit to the brand, making board members and senior-level managers take notice. And it can all fall on the CIO.
This increased awareness is the beginning of a solid cybersecurity budget. In the CIO Survey, 82 percent of respondents cited cybersecurity as a high or critical concern for the next 12 months, the highest percentage across all surveyed categories.
However, as organizations invest in cybersecurity, budgets need to be strategic. Simply throwing money at cybersecurity can put an organization in a bad position. And the more IT spends now, the more the organization needs to spend later on upkeep. Investments require support, and lots of it. More importantly, technology itself doesn’t solve anything—even when people use it as a proxy for results. Likewise, woeful underspending on security is dangerous.
Bottom line: It’s time to take stock and develop a threat-focused, risk-based approach to your security strategy.
In building a risk-based strategy, organizations need to focus on three primary components—assets, vulnerabilities and threats—rather than simply looking for holes. For example, if the business doesn’t have any credit-card payments, why research POS system vulnerabilities? It’s counterintuitive to protect an area that does not apply to organizational operations. The key to success is to take the time to understand the real threats, where they are coming from and potentially what they look like.
Furthermore, any modern cyberstrategy needs to complement the go-to-market strategy for the company. There should be a direct tie-in, including accommodation for any compliance standards.
One of the more challenging aspects of budgeting for cybersecurity is demonstrating the return on investment. It’s difficult, if not impossible, to accurately depict the ROI from stemming hypothetical attacks. However, it’s still possible to show value with links to positive results by, for instance, tying the investment to the ability to accelerate the organization’s move to mobile or improved time to market for a new offering.
As security professionals, we need to embrace these new metrics to show value—not just for brand protection but also for new opportunities.