Visiting a customer at the beginning of the month, I was asked a question I hear often. It’s one you might recognise: “You know Guus, we are committed to keeping our business and our customers safe from cyber crime. That said, we cannot afford it all and find it difficult to determine priorities, as well as budget. What shall we do?”
Clearly it’s a very relevant question for any business, at any given time. The good news is that the answer lies within your organisation.
That answer is influenced by a number of business specifics, such as: your (changing) risk landscape, existing measures you’ve taken, and your risk appetite. I would argue, though, that the biggest factor should be your business priorities — i.e. figuring out which, based on your business strategy, are your most valuable assets. From there you can determine what that means in terms of your security strategy and associated priorities and budget.
As an example, let’s assume you’re a retailer (clicks and bricks) and your strategy is based around cost leadership — holding close to zero inventory, allowing you to compete on speed and price with acceptable quality products. Your online environment, as well as your supply chain, will likely be among the most important areas to protect, as well as customer data.
This is likely very different from a business that designs and builds vessels in-house, delivering four state-of-the-art ships every two years to a single, or few, global customers. For a company like this, their crown jewels are likely their intellectual property — their designs and innovation — as well as customer data.
So, in the context of such examples, try to answer the following three questions as a basis for your model, prioritisation and decision making:
What differentiates you from competitors and makes customers choose you? Knowing this, you can determine what is most important to protect. Effectively bridging the gap that often exists between a business, IT and security. And, ideally, go beyond that, and identify how IT and security can become a business differentiator.
Based on your company’s agreed business priorities, what is the information that needs protecting the most? You need to build a detailed picture of where the potential threats could come from, as this will give you a much more realistic chance of fending off would-be external attackers, as well as preventing internal risks and incidents.
Knowing what you need to protect, and who to protect it from, means you have the basis to assess how ready your company is for attacks, as well as preventing internal issues. You are effectively building a security strategy, aligned to your organisation’s business priorities. This enables you to select your partner(s) to addresses any current and future gaps.
Now some of you will say: “we’re already beyond that, we know our crown-jewels and still struggle with budget priorities”. To that, I’d say that I strongly advise any business to first ensure control of the basics before anything else. Meaning:
These three areas, combined with specific compliance requirements for your sector or region (i.e. GDPR), should be your foundation — and can be budgeted for.
Hopefully that answers the question I’m now so used to being asked!
With that in place, I always encourage any business to go beyond risk and compliance, and use IT and security as business differentiators.