Throwing money at security threats may be good exercise, but it won’t do much to deter data thieves, ransomware bandits, and other bad guys.
While enterprise security leaders usually do well at estimating threats and vulnerability, they often lack the ability to accurately assess business risk when making the case for sufficient security funding. “Cyber risk and its business impact is often put into technical language that the C-suite does not understand,” says John Gelinne, managing director, cyber and strategic risk, at business and advisory firm Deloitte. “As a result, translating threats and vulnerabilities into justifiable investments is often left to the tech team’s experience and judgment — insights that often trail evolving cyber threats.”
A common way enterprises waste money on IT security is by configuring their security plans and budgets based on the latest cybersecurity trends and following what other organizations are doing. “Each organization’s security needs will differ based on their line of business, culture, people, policies, and goals,” says Ahmad Zoua, director of network IT and infrastructure at Guidepost Solutions, a security, investigations, and compliance firm. “What could be an essential security measure to one organization may have little value to another.”
Poor planning and coordination can lead to needless duplication and redundancy. “In large organizations, we frequently see many products and platforms that have the same or similar capabilities,” says Doug Saylors, cybersecurity co-leader for technology research and advisory firm ISG. “This is typically the result of a lack of a cohesive cybersecurity strategy across IT functions and a disconnect with the business.”
Organizations often layer security products on top of each other year after year. “As security teams and leadership, such as CISOs, leave the organization, new team members and leaders bring in new security products,” says Charles Everette, director of cybersecurity advocacy for cybersecurity firm Deep Instinct. “As the security solutions pile up, there’s a tremendous amount of wasted resources and capital as solutions — basically shelfware — don’t perform as expected due to not being updated nor keeping up with newer and more sophisticated attacks.”
Start at the Top
Taking a top-down approach to building a security budget, one that incorporates an understanding of real-world business needs, establishes a benchmark prior to conducting due diligence on security tools that should be included in the final budget. “This [approach] will also engage your key stakeholders and leadership to support the security plan as a key component of business success, not as overhead,” Zoua says.
It’s essential to keep track of your plan and monitor your progress and risks, Zoua says. “Many security leaders budget for all known threats, but always add a dedicated budget for unknown risks and a cybersecurity resilience plan.”
Security a Core Concern
Security budgets have long been an add-on or afterthought for many organizations. “In recent years, we’ve come to realize that security needs be at the core of all IT products and projects,” Everette says. “This means that CIOs and CISOs have to have buy-in during the whole decision-making process.” He adds that security should never be regarded as a bolt-on functionality. “[It] has to be in place at the foundation … throughout all IT projects and IT decisions.”
Saylors advises organizations to develop a holistic cybersecurity plan, one that fully supports their unique business strategy and doesn’t get caught up in new, unproven trends. “We see clients spending substantial dollars on acquiring and deploying the latest shiny object, which has zero business value,” he says.
Saylors also recommends conducting regularly scheduled maturity assessments to determine the value of existing security tools and processes. “As part of these assessments, a security tools optimization exercise should be performed to identify tools and platforms that are obsolete or that no longer meet the needs of the business,” he says. “We’ve seen upwards of a 25% cost reduction in some client environments, generally through a reduction of existing redundancies.”
Stakeholders and Partners
Best results are achieved when key business and IT stakeholders are involved in the security budget planning process. “For organizations engaged in digital transformation initiatives, involving product development teams is paramount,” Saylors states.
By involving leadership and stakeholders in the security planning process, organizations can set priorities that cover all applications, data, and business-critical systems. “A dashboard with associated risks and calculated losses should also be created,” Zoua says.
It’s also advisable to engage the support of key suppliers and third-party providers that integrate digitally with the organization. “There have been some very significant breaches that occurred due to substandard cyber protections with trading partners,” Saylors notes. “Involving them in your strategy is a good way to help mitigate this risk.”