Corporate security leaders tend to understand that it is not optimal to try to secure every single business or IT asset at the same level. The very essence of risk management is the recognition that perfect protection is non-existent.
Cybersecurity budgets may be growing but they are not unlimited. The challenge is to figure out how to spend efficiently on your cybersecurity strategy; a plan that will invariably change every year or so. Threats evolve, compliance requirements change and business priorities shift. This means that security plans and budget allocations must evolve with them.
There is no doubt the threat environment today has grown more serious than ever. Malicious actors are brazenly raiding some of the best-known, and best-funded organisations in the world. Organisations are confronting the simultaneous threats of spear phishing, ransomware, and distributed denial of service (DDoS) attacks.
The problem is compounded by the fact that information security today is dominated by a blurred perimeter. Business and IT assets are distributed across multiple on-premises, colocation, private cloud and public cloud environments. An organisation may also be sharing data with external third parties, to whom they are providing programmatic access through standards-based application programming interfaces (APIs).
Where an organisation ends and the outside world begins is not so easy to see any more. Newer technologies, such as mobile, wireless, and the Internet of Things (IoT) further blur the perimeter.
For example, the user of a mobile app developed by a partner might be accessing back end systems through an API. An organisation has no control over the security features on the partner’s device and whether their data is encrypted on that device.
In addition, employees are making it harder to see and enforce a perimeter. Most organisations now have full-time employees, contractors, outsourcing firms and maybe even offshore people accessing core IT assets. Or worse, an unknown contractor for a partner firm might have privileged access to systems.
The growing threat environment creates a negative synergy with the blurring perimeter to exert more pressure on the security budget.
A proven practice is to conduct a business impact analysis (BIA) and identify risks that carry the greatest potential business loss. Then, focus on those. After all, not all risks are alike in terms of business impact. For instance, a hack of a company website might prove embarrassing, but it can be fixed relatively quickly and cheaply. Conversely, a breach of a customer database can be extremely expensive to remediate. There can also be long-term reputation damage that may never be fully repaired.
The reality of today’s security environment is that organisations need to be good at appropriately managing the risks they face using the budget and resources at their disposal. However, it is possible to be efficient with the security budget while achieving a higher level of risk mitigation by understanding their risk profile, assessing what can be addressed in-house, and working with partners to provide the security advising and services needed to fill the gaps, and help strengthen their security posture.
Stuart Mills, Regional Director – ANZ, CenturyLink