Funding cyber security myths or reality? By Cranium
Can we be sure of well-thought-out cyber security plan and funding or is a change in approach needed.
Security is: SIEM, NIDS, OWASP, SCANNING, CVE, ISO 27k, NIST, DDOS, CRYPTOLOCKER, PORT 443, TLS v1.3, REV PROXY, …
These security topics are all well-known and obvious, right?
Data related topics: API integrations, 3rd parties, international data transfer, data lake, big data, mobile devices, 4th parties, …
We know where our data is right?
So how do you determine the way to budget and spend the money you have available for cyber security resources?
Not long ago, businesses had an IT team that knew the environment inside out and did their best to explain this to senior management in order to get funding for the IT organization. This funding often included security. Secondly was it a technical discussion, where the main drivers were industry practices or widely known and understood threats.
Today we try to do the same specifically for now ever-increasing cyber security landscape, conveniently ignoring that not only the landscape changed, but the parties involved or impacted changed as well. As with all things in life, decisions are made by humans. In general we as humans tend to spend our money on things or actions that result in an experience, something we understand (or understand the need) and the things we value or care about. This includes business decisions.
As a result, businesses often end up in one of two bad situations, potentially both; one being a business that invests in a false sense of security as there is not a full understanding of what these controls really entail, and second, the design of data protection program is set up to adhere to available budget, not to actual risks a business faces.
The three key area’s
1. The Value Landscape
Requirements for spending money are; experience, understanding and value or care. In today’s landscape these are based on the most valuable asset we possess in business; data. Even businesses producing products do this based on calculations, formulas, trade secrets, etc. – data. This is where the game changed over the last few years. Our data is not in the office building anymore nor is it contained within the (technical) company network. Your data landscape has gone global.
Before talking about cyber security, defining the necessary budget and getting the management buy in, we need to know what we HAVE, WHERE it is used, WHO uses it and what is really VALUABLE.
2. There is no such thing as 100% secure
Protecting data is all about CIA (Confidentiality, Integrity and Availability), which addresses data, not corporate processes. For all this data we need to focus on what is considered valuable because we want to be working based on risk level.
This CIA is to determine focus and to allocate the best security controls or other risk mitigating actions to protect the data in scope. That risk determination is needed because there is so much data and systems in use today, therefore not all can be protected in the same manner nor should they.
3. Cyber Security Efficiency controls the budget
September, October, typically months where the CISO receives the note to draft the budget planning for the coming year, while trying at the same time to implement a cost reduction of an arbitrary amount vs last year. Sound familiar? From a financial point of view this makes sense as all costs impact the bottom line. However, going back to where we started, one should not just reduce money for the sake of reducing, one should spend on something that can be experienced, understood and valued.
It is the CISO’s task to provide this justification but should do so based on business risk! Forget about the terminology I mentioned in the beginning and explain, show and provide the experience of what it means for the business; the business risk you are protecting against.
The Cyber Financial Formula
Cost of impact (CIA) x Risk of breach (CIA) -> business value for investment -> security efficiency
So far for the business’ needs and point of view towards security, we also have to keep in mind an increasing demand from governmental bodies and institutions to comply with regulations. One recent example is the GDPR, a regulation that expects a business to know what data they HAVE, WHERE it is used, WHO uses it and what VALUE it holds. The value, in this case, being privacy data is even specifically identified as are the related fines in case of non-compliance.
Do you still feel comfortable making this just a financial exercise while communicating to your customers, shareholders and employees that your business is compliant, in control of its data? and providing adequate cyber security controls? So, what should your budget for cyber security be based upon?
Experience – make cyber security and its budget about real risks from a business point of view. Keep in mind the growing external drivers (GDPR being an example of an external driver).
Understanding – put cyber security in the right business context and provide a transparent view of the data used in this context.
Value – make stakeholders care and obtain their involvement, because we are talking about data, not the technical underlying measures, basis or otherwise IT related ‘mumbo jumbo’. Those are the means to protect, not the reason why we protect.
Keeping this in mind, having an overview of the data processed is not just a security best Practice, but it is also a huge step in the direction to become GDPR compliant. Invest in what you experience, what you understand and care about & protect what matters and do this in a meaningful way.
Always keep in mind that when you invest in cyber security, you are going to get a guaranteed return on this investment, because unfortunately it is not a matter of IF you will get hacked or breached, but WHEN you will!