10th May, 2023 • The St Regis, Abu Dhabi, UAE
Making the most of your cybersecurity resources
CISOs’ real-world job is getting the best from a limited budget: learn from the experts
All too often cybersecurity is still seen as a binary, IT issue: is our IT infrastructure secure? The problem with that approach is first, the answer is always ‘not 100%’, and second, the question completely avoids the factors that should drive a real-world security programme. Cybersecurity is a business risk like any other; its significance is a function of the risk cyber-crime is to the business; there is a finite level of resourcing to mitigate the most material elements of that risk; and there will always be residual risk that cannot be mitigated – this represents the limitations of the budget and the risk appetite of the firm.
So, is there a better way to do cybersecurity than thinking of it as a constant battle to purchase the latest IT to keep up with ever more technologically advanced hackers? One answer is to move away from a granular focus on IT. For example, the foundation of many cybersecurity programmes is the asset inventory. Get a list of every device and application on the network so that you can monitor and log activity, ensure regular patching and check for anomalous behaviours. But treating every device and every application the same, regardless of how they contribute to risk, is wasteful without a business-led evaluation of business-critical processes.
Taking a risk-based approach to security creates a more efficient and effective programme, it reduces waste and maximises the allocation of resources to issues that are of genuine, material significance to the business. It may also result in evidence that can be used to increase the resources available to the security team by demonstrating real business value.
Another way to apply real-world thinking to cybersecurity is to start with people: buying technology that is too complex, or that requires significant IT resources or ongoing staffing, means under-using that technology or even exposing the organisation to increased risk. So, start with the team you can afford and then think about what tech that implies. A realistic evaluation of the skillsets available and the flexibility of in-house resources may well lead to a decision to outsource.
And other business risks can at least partly be hedged or insured. Right now, the cybersecurity insurance market sems to be in flux, with some insurers even saying that cybersecurity is becoming an ‘uninsurable’ risk. In reality premiums are finally being adjusted to reflect the cybersecurity posture of firms that want to buy it. So, what do you need to prove to ensure continued access to cyber-insurance and are those requirements consistent with current levels of security resourcing?