What is the value of the data you hold, and how does that justify your security spend? It’s a question that’s increasingly rising to the top of the CIO’s list – not to mention the CISO.
As the CISO increasingly moves towards the boardroom, they need to be able to justify their spend to the CEO and shareholders. If security spend has become an indiscriminate affair, with a focus on securing the perimeter at all costs but with no insight into how the company benefits, the financial case for investment is likely to face challenges pretty quickly.
For many years, the prevailing attitude has been that in the face of an indistinct enemy, buying too many systems was a better bet than buying too few. All the salesmen had to imply was that this backdoor could be the one that brought your company down if you didn’t seal it, and the purchase would be rubber-stamped. Over time, however, that approach has led to the development of huge, unwieldy systems that cost a small – or a large – fortune to run.
Part of the reason for this steady build-up of indiscriminate spend is that cybersecurity used to be the preserve of ‘technical’ staff whose first priority was the security of the company, not balance sheets. In the last five years, however, it’s risen steadily up the chain of command until it reached its present position on the board’s plate. Those technical staff now have to justify spend in terms of business benefit, not technical specification.
The business case
The fact is, cybersecurity is now a major business threat – it’s become the most significant continuity risk in business, more disruptive than strikes, hurricanes and terrorism. Commerce is relentlessly digital, and it’s predicted that data flows will be worth more than the international trade in physical goods within the next ten years. Information is money, and that means that cybercrime is no longer just a hobby for spotty teenagers or a bogeyman for weird-beard technophiles – it’s a big, polished enterprise.
As a result, the CEO now needs to understand the top-level detail of the company’s cybersecurity stance. The CISO has a very valid case to bring – intelligent investment in cybersecurity directly offsets the potential financial risk of a breach. In other words, security investment is still essential, but it now needs to be intelligently directed, informed by a detailed risk analysis based on the data in play.
This is the concept of ‘risk buydown’ – but to quantify it, the CISO must have deep insight into the data the company holds, being able to categorise it and work out the potential risk to the company. Only then can they present a truly accurate case for spend to the board.
Use data to analyse risk
Advanced analytics should be at the heart of security planning. CISOs looking to present a new security investment strategy to the board should begin by undertaking a deep, granular review of the data that resides in or passes through the organisation’s systems. How much is proprietary, and of that, what should be classified as secret or high value? This information should be graded in a risk-to-cost structure, identifying which information would carry the greatest financial penalty for the company if it were breached.
In the same way, the review should seek to identify personally-identifiable information (PII) belonging to third parties, and customers in particular. As concerns around personal privacy have escalated in recent years and governments have responded with regulations like GDPR, the need to preserve the security of third-party data has taken on a vastly augmented financial dimension. The hefty fines attached to GDPR infringements mean that a poorly-constructed cyber defence could end up very quickly becoming the CEO and CFO’s problem in the case of a breach.
In short, granular data analysis is an essential first step when building a security investment case. The more you know about the data you’re holding, the more accurate your cost/benefit analysis will be, the more intelligently you can plan the systems you implement and the more likely the board is to get on…board.
Win over the board
The key point here is that security budgets now need to match the wider financial concerns of the business. By demonstrating the role cybersecurity can play in protecting the financial health of the company and helping it to mitigate against a major continuity risk, CISOs can not only secure the budget their teams need, but begin to take on a more consultative, value-add role in the business.
For example, an increasingly large majority of companies rely on some form of digital infrastructure for the day-to-day functioning of the business, whether it be an e-commerce site, a digital partner portal or an automated production line management platform. Given the strategic importance of such infrastructure and the data that resides within it, the CISO now has an important role to play in consulting on the design and implementation of frontline business systems.
Whatever the use case and whatever the organisation, CISOs need to focus on the data when making the case for cybersecurity investment. Value resides with the data, not the system in which it resides. A data-centric cost analysis – and a data-centric security system – are the best way to guarantee your organisation has the defence it needs.
RVP EMEA
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.