Leadership teams run their organizations with constantly shifting priorities. Often these priorities can run the gamut from managing A/R and increasing sales to improving culture and increasing staff retention. All too often, technology ends up being low on the priority list other than “keep it running” and “do we really have to spend more money on that?” This is where the conversation around cybersecurity starts to get interesting.
While all of the above items are of critical importance to running a business, when the topic of cybersecurity comes up, the conversation naturally flows from managing risk to ensuring the proper ROI of the spend to manage that risk. And “What do we have to spend?” and “ What are we going to get for it?” are two of the most prevalent questions.
The well-informed leaders have realized that cyber-threats now represent the lion’s share of the potential harm that could come their way. At the same time, it’s rare when a leader truly comprehends the existential threat cybersecurity presents to their organization. The discussions are driven no different from any other aspect of running a business - they merely want KPI’s and insights aligned with business priorities.
At the same time, according to a 2019 survey by the Enterprise Strategy Group, 39% of executives and directors want security status reports for cyber-risk associated with end-to-end business processes and 35% want better detail on the ROI of their security investments and planned purchases.
Here are four essential areas or questions you should be looking to address to help your leadership team understand your specific organization's cyber-stance:
1. The company's current security posture
How solid is your cybersecurity protection - really? How effective are your controls? Are your policies complete, documented, and known throughout your organization? How well documented is your position and how easily can you report on the status of this now and as you move forward?
All important questions. And all that go to helping clarify your current security posture.
Your security posture reflects the effectiveness of your current security controls against potential cyber-attacks, including internal and external-facing security controls across your infrastructure. There’s more than one way to measure an organization’s security posture, but the idea is to present an objective, vendor-agnostic metric that you can obtain on an ongoing basis, without having to rely on the periodic third-party security assessments you may have had completed.
Keep in mind, cybersecurity is a moving target and must be part of an organization’s ongoing management of their technology. It truly is something that should be performed on an ongoing monthly or quarterly basis.
Crazy to think, but while large enterprises rely on an average of over 80 security products, small businesses still rely on a number of vendors and related products not too much smaller. This number is based on all of the components that make up your infrastructure along with all the products needed to secure it. Keep in mind, from an overarching approach, one of the most important aspects is how well these solutions work in concert with each other to defend against the entire lifecycle of a threat, from attack delivery, to system compromise to lateral movement and beyond.
At first blush, providing your leadership team with an up-to-the-moment security posture metric may seem impossible. But security vendors have been catching on to this need, and an increasing number of them are offering exposure metrics and cybersecurity risk scores, as well as industry benchmarks that compare your score with others in your industry. And vendors are not alone. Ratings agency Moody’s has recently announced a joint venture with cyber group Team8 for creating a global cybersecurity risk assessment standard for businesses.
2. defensibility against the very latest threats
“Are we vulnerable to that ransomware that hit Baltimore?” Reports of companies and cities falling victim to ransomware and other malware menaces have become a daily occurrence. Understandably, CISOs get called up by their CEOs or other executives seeking to know if they are vulnerable to the latest threats that made the headlines. By keeping tabs on the latest threat intelligence, and specifically, their indicators of compromise (IoCs) security managers can quickly answer that question and convey to their leadership if the business is vulnerable or not.
Of course, there are signature-less attacks and zero-days (known unknowns) that require behavioral detection, but as far as knowing if you’re at risk from an already-known threat, this is easy to do to reassure your ownership, or explain why you need to beef up resources for a particular area of security.
3. ROI ON SECURITY INVESTMENTS
Which leads us to the next insight your leadership wants to know: What is the ROI on the company’s security investments? Is the IT or security team actually putting its money where your risk is?
By having a holistic approach to securing your technology and being prepared to know where your company is most and least vulnerable, you will be better positioned to prove that you are putting budget and manpower where the company needs it most. A good place to start to prove effective spending would be to share where your team is seeing the most vulnerability or threat exposure. And in light of that exposure, what resources are being allocated to address it?
It could be that your controls are working great, but too many employees are clicking on phishing emails and it’s time to invest in cybersecurity user awareness training. Alternatively, there could be concerns about access by third parties to your network or cloud resources, and stronger access controls are required. The ROI on technical or human control improvements is difficult to be demonstrated in a true ROI calculation. One of the best ways is to breakdown the cybersecurity spend based on preventative measure taken with the cost of the related risk associated that that control is in place preventing from occurring.
4. SECURITY IMPROVEMENTS
Lastly, your leadership team will likely want to understand how security investments are improving the company’s overall security posture. To address this need, it’s imperative to track security posture metrics over time, enabling you to demonstrate the impact made by your budget prioritization. Alternatively, if there’s high employee turnover or you have insufficient resources, you may be able to explain the dip in your defense’s performance in light of an ever-fluctuating threat landscape.
These four components taken together, should help you justify the additional spend that cybersecurity requires in this day and age. Needless to say, it’s not going to get better any time soon. The more complex the technology environment has become (ie: the always on aspect of the internet, on-premise infrastructure, cloud hosted, Software as a Service, BYOD, Wireless, spoofing, fishing, CEO fraud, etc.) and the more the bad actors are leveraging the cracks in each of these, the more cybersecurity will become critical to ensure organizations stay protected just to operate.
What does your cybersecurity posture look like? How are you going about addressing things? Have you had a baseline assessment? Are you using a clearly defined holistic approach to ensure you're addressing all 4 of these aspects? How do you keep track of where you are currently against where you want to get to? Be sure to share your thoughts in the comments section below or shoot me an email if you'd like to discuss this in more detail.