04 . Oktober 2017
Posts nach Autoren: Guus van Es, GM Security Consulting Worldwide, BT.
Figuring out how much to budget on your security can be a complex process. But with Guus van Es’s advice, it’s easy to untangle the answer…
Visiting a customer at the beginning of the month, I was asked a question I hear often. It’s one you might recognise: “You know Guus, we are committed to keeping our business and our customers safe from cyber crime. That said, we cannot afford it all and find it difficult to determine priorities, as well as budget. What shall we do?”
Taking a step back
Clearly it’s a very relevant question for any business, at any given time. The good news is that the answer lies within your organisation.
That answer is influenced by a number of business specifics, such as: your (changing) risk landscape, existing measures you’ve taken, and your risk appetite. I would argue, though, that the biggest factor should be your business priorities — i.e. figuring out which, based on your business strategy, are your most valuable assets. From there you can determine what that means in terms of your security strategy and associated priorities and budget.
Breaking it down
As an example, let’s assume you’re a retailer (clicks and bricks) and your strategy is based around cost leadership — holding close to zero inventory, allowing you to compete on speed and price with acceptable quality products. Your online environment, as well as your supply chain, will likely be among the most important areas to protect, as well as customer data.
This is likely very different from a business that designs and builds vessels in-house, delivering four state-of-the-art ships every two years to a single, or few, global customers. For a company like this, their crown jewels are likely their intellectual property — their designs and innovation — as well as customer data.
Three questions you need to get solid answers to
So, in the context of such examples, try to answer the following three questions as a basis for your model, prioritisation and decision making:
1.What is our purpose, and how does it shape our security priorities?
What differentiates you from competitors and makes customers choose you? Knowing this, you can determine what is most important to protect. Effectively bridging the gap that often exists between a business, IT and security. And, ideally, go beyond that, and identify how IT and security can become a business differentiator.
2. Who is the enemy/what is our risk landscape?
Based on your company’s agreed business priorities, what is the information that needs protecting the most? You need to build a detailed picture of where the potential threats could come from, as this will give you a much more realistic chance of fending off would-be external attackers, as well as preventing internal risks and incidents.
3. How well equipped are we to protect ourselves, and what external support is required?
Knowing what you need to protect, and who to protect it from, means you have the basis to assess how ready your company is for attacks, as well as preventing internal issues. You are effectively building a security strategy, aligned to your organisation’s business priorities. This enables you to select your partner(s) to addresses any current and future gaps.
Now some of you will say: “we’re already beyond that, we know our crown-jewels and still struggle with budget priorities”. To that, I’d say that I strongly advise any business to first ensure control of the basics before anything else. Meaning:
- Get your asset management under control and ensure you implement all of the latest patches and software upgrades. There’s little value in focusing on all the sophisticated stuff, if you don’t have the basics right. Please don’t assume you do, you might be surprised — as some of the recently compromised companies in the news have had to admit.
- Ensure continuous awareness training and updates.
- Threat Intelligence: make your people the strongest link (instead of the weakest). Especially as phishing (including spear phishing, whaling etc.) and ransomware continue to be a major source of attacks.
These three areas, combined with specific compliance requirements for your sector or region (i.e. GDPR), should be your foundation — and can be budgeted for.
Hopefully that answers the question I’m now so used to being asked!
With that in place, I always encourage any business to go beyond risk and compliance, and use IT and security as business differentiators. A topic I will address in my next blog.