I was once told by a friend who has spent his whole career in Insurance that they have a term for things like home and car insurance. People know they need them but are always unhappy about splashing the cash. They’re called grudge spends.
The same friend drew a similar conclusion on cyber, which holds much truth. Spending on cyber security is often seen as a grudge investment—something businesses need to do but would prefer to be put into things that easily track tangible business value or growth.
Reputation is Everything
Over the last decade, we’ve seen rapid growth in the cyber security market, driven by the evolution of attack vectors and amplified by the Covid pandemic when most businesses were forced to rapidly adapt to new working habits. However, the average percentage of IT spending on cyber security isn’t growing at the same rate.
This story will be intimately familiar to many IT leaders—repeatedly pushing for more budget and resources, only to be met with increasing demands to justify their requests. This merry dance isn’t for their enjoyment. It’s for providing essential protection and to help prevent significant incidents that will affect the organisation’s operations, staff, customers, and supply chain.
Reputation is everything, and a significant breach will severely impact business. Still, requests fall on deaf ears. Not always because companies don’t accept that risk exists—cyber security is more known now than ever before—but because senior leadership in most organisations, including many owners, non-execs, CEOs, CFOs, etc., are of the mistaken belief that their company is already investing in strong IT security, especially if they haven’t yet experienced a significant incident.
So, what can cyber security leaders do to gain the investments they need to protect the organisations they work for?
Change How Business Leaders View Cyber
Let’s start with the obvious. Risk is an essential factor, but it must be understood in the specific context of your company and the tactics that will be used to exploit those risks. Each company is different. Although some risks are expected, please don’t assume they all sit in the same order of priority in each company. So, understand the risk specific to your company and use plain, clear, and simple language to explain the problem and associated business impact. Avoid jargon and present in a way that CFOs, CEOs, and business owners can quantify—where data demonstrates the potential impact from a cost perspective where possible.
We must also change the prevalence of the grudge investment opinion. When up against budget requests with a more easily understood business growth opportunity—sales head, office opening, marketing campaigns, the list goes on—it’s hard to stand out. However, once you’ve outlined risk in clear, consumable language that’s easy to understand, start to help the business gain awareness of how a suitable investment in cyber security can become a business enabler.
Customers want and, increasingly, demand assurances around your cyber security programme. Getting on the front foot—using your cyber program to publicise to potential and existing customers how you continue to invest in cyber to protect their data—can help secure your reputation.
It Can Take A Lifetime To Gain Trust But A Second To Lose It.
We must move past the days of cyber being perceived as a hindrance to productivity for your staff. By promoting risk awareness by having a clearly defined programme of work that invests in the right solutions and services, you can enable people to operate faster and be more agile. The result? A happier and more productive workforce.
You must understand risks specific to your company, identify gaps and gain visibility over the efficiency of current controls. With this new information, we gain value from it by providing clear guidance to the business around genuine risks and how suitable investments can help make cyber security a business enabler and help your company stand out from the competition.
Singing From The Same Hymn Sheet
You can empower your cyber decision-making process by speaking in a common language across your organisation. By following a modern, forward-thinking approach to cyber security (more on this shortly), you can adopt guiding principles that are easily followed across your company and from top to bottom.
An emerging approach, christened by Gartner as Continuous Threat Exposure Management (or CTEM) emphasises a consolidated approach to your data, where threat intelligence, governance, risk, and existing security investments come together in a single place. This enables you to pinpoint where your current tooling has gaps, where you might be overspending, highlight areas for improvement, and—crucially—help demonstrate and deliver value from cyber.
This threat-led approach is highly dynamic. It creates a profile unique to your organisation which identifies the most critical risks and creates a model of malicious behaviours to prevent. Capability data, which is continuously updated and monitored, helps highlight the most critical areas for improvement, ready to be grouped into projects to promote a culture of continuous improvement across your organisation.
Figure 1: Gartner's CTEM cycle.
How Do I Focus On Everything All At Once?
Deploying effective CTEM isn’t one-size-fits-all. Starting with the most critical aspect, specific to your organisation’s requirements. These usually—although not always—fall under one (or more) of these categories:
- Insight: a consolidated, high-level view of the most critical aspects of your cyber security environment. Think of this as the things you, as a cyber security leader, need to empower you to start making correct cyber decisions.
- Threat: a bespoke threat model unique to your organisation that means you can interpret how you’re being targeted and the malicious behaviours you must prevent.
- Compliance: score and analyse your performance against industry-standard compliance frameworks, looking at your controls’ deployment and maturity and where you need to improve.
- Measure: see how well your tools operate, usually through native APIs, with performance and efficiency metric surfaced by relevance.
- Improve: tracking of your continuous improvement plan.
Figure 2: a typical CTEM deployment.
As a security leader, you’d typically use a combination of these five aspects to evaluate your cyber security strategy in the context of the risks you face. This will enable you to make informed decisions about your cyber security investments and identify areas of improvement. From here you can report, justify, and enable cyber across your organisation in four key areas:
- Quantify Risk: By understanding your unique threat landscape. Map the malicious behaviours you need to mitigate and visualise your threat model.
- Cost Optimisation: Identify the utilisation of your existing investments. Increase adoption of purchased solutions and roll out additional capabilities to improve ROI on existing solutions.
- Control Improvement: Focus on post-deployment effectiveness by identifying the performance of your cyber investments. Identify capability or capacity gaps with existing operations teams or opportunities for process or automation improvements.
- Industry Benchmark: Contextualise your performance against your peers. Use this to drive continuous improvement within your cyber security environment.
Adopting a CTEM approach will empower you to evaluate the cost-effectiveness of your security measures and ensure you get the most out of your cyber investments and stay within budget constraints.
To discuss how Arco can help empower you to drive the value of cyber in your business, please get in touch.
