A Strategic Approach to Cyber Security Spending

Cyber security technology is continuously advancing to meet evolving threats and many organizations have increased spending on cyber security programs to mitigate risk. Unfortunately, the technical progress and increased spending haven’t always translated into better protection. Breaches and ransomware are still grabbing headlines.

The underlying problem, according to Mark Sangster, Vice President and Industry Security Strategist at eSentire, an IST strategic partner for cyber security solutions, is how business leaders perceive the role of cyber security. He says, “Too many companies look at cyber security as a toolbox. Cyber security is not an IT problem to solve, rather, it’s a business risk to manage.”

One of the biggest challenges that companies face is the communication gap between technical experts—those who understand what cyber threats look like—and the business leaders who don’t. “Often it’s the business leaders that get in the way,” he says. “They don’t understand the threats, or they labor under the misconception that they’re not the type of business cyber criminals target.”

These misconceptions put technical leaders at a disadvantage because they’re not able to map a specific threat to a specific business risk in a way that justifies a business investment.

As a result, organizations construct a patchwork of cyber security add-ons that result in too many tools to manage and too much noise for security teams to keep up with instead of building out solutions strategically based on an understanding of what the biggest risks are and what the worst outcomes can look like.

Using a strategic approach to risk management, organizations can better align cyber security spending with existing budgets and resources.

Getting a sound footing in managing cyber risk starts with going back to basics and ensuring your organization has alignment in how risk is defined and how it’s managed. Tia Hopkins, Field CTO and Chief Cyber Risk Manager at eSentire says, “It’s about calculating risk based on the financial value tied to assets at risk in order to prioritize risk. Choosing the right framework can be a challenge. And I find that’s where a lot of organizations fall short.”

Define Your Risk Framework
Before delving into technical decisions, organizations should start by answering basic business questions by defining the organization’s “risk appetite” and “risk tolerance.”

Risk appetite is the type and amount of risk that an organization is willing to accept in pursuit of driving value in their organization. Hopkins says, “Risk appetite becomes the framework for how you’re going to approach risk management in general.”

Risk tolerance is more at the per-risk level, where organizations determine how much risk they’re willing to accept for a specific risk.

The combination of the two is the company’s risk posture and becomes the baseline for security teams to identify the risks and vulnerabilities associated with critical assets, and then prioritize action to mitigate these risks.

Prioritize Risks
With a risk framework in hand, eSentire recommends running a risk assessment to determine where the risks are, which could be tied to specific threats, specific vulnerabilities, or a need for regulatory compliance.

Sangster says, “Create a prioritized list of risks based on things like risk tolerances, and once you do that, you know what it is you’re trying to achieve.” Then start mapping priorities to the right strategies, tools, experts or other resources that will mitigate risk based on your risk posture.

Sangster says one of the best ways just to start this conversation is to run a security awareness session with the executives to help them see at a high level what some of the risks and threats are.

Sangster says, “By running a simple simulation exercise of a breach, they start to see that there’s a lot of business decisions to make.” For example, Will we have to disable a certain service? And if so, what effect will that have on the business? Will it affect our customer base when it becomes public? What are we obligated to report on?

Establish KPIs
Once strategies and tools are in place to address prioritized risks, organizations need a way to know that they’ve made progress in mitigating risk.

Hopkins says, “This is where companies like IST and eSentire add a ton of value to the organizations we work with because KPIs and metrics are huge.” She says identifying the right KPIs to track can be difficult.

“It’s difficult to establish a standardized framework for how to measure because organizations are going to have different priorities, and different concerns that bubble up to the top of their list over others as you go from company to company, or industry to industry,” she says.

It depends on the maturity of the overall program. For example, you can measure how well you’re identifying and closing the gaps on vulnerabilities, or how much better your users are at recognizing phishing emails. It comes down to what the focus of the organization is.

Hopkin says, “If you can’t measure it, then you really won’t know how well it’s working. So it’s critical to establish those KPIs to know how well you’re doing, where you need to improve and demonstrate the overall effectiveness of your program to business leaders.

Align Spending with Risk
More spending on cyber security doesn’t always result in better protection. To ensure that your cyber security spending results in real protection, contact IST to learn how you can maximize protection within your current budget.