Cybersecurity is making its way to the forefront of every enterprise's agenda. Even for organizations where cybersecurity is not a priority, cybersecurity is becoming an area of deep concern in boardrooms. As we delve deeper into the 21st century, enterprises that have been operating successfully for years and even decades with very little thought to digitization, let alone cybersecurity, are scrambling to address the challenges of a cyberspace full of threats.
This danger is compounded by media reports of new high-profile cyber attacks almost every other week. According to industry reports, cyber attacks are becoming more frequent and have increased in scope.
So how do businesses react to this new challenge? They throw money at the problem.
In a 2017 report by Gartner, the firm forecasts that global spending on enterprise security will reach USD 96.3 billion in 2018, an increase of 8% from 2017. In the mad dash to beef up enterprise security and protect their assets from cyber threats, many enterprises fall into some bad spending habits.
Fear of Loss
In the face of an immediate threat, the natural reaction is to strengthen defenses with all haste. This is exactly the approach that businesses are taking, and understandably so as they are most concerned with avoiding loss. Much of cybersecurity spending is framed within the scope of how much money the business would lose in the event of a potential cybersecurity attack. One of the most commonly-used practices for selling cybersecurity solutions is to make the fear real for the decision-maker. This fear-based approach helps sell solutions but leads to poor spending practices such as supplementing existing business systems with cybersecurity requirements, investing in focused, specialized solutions and spending budgets in a reactive, short-sighted manner.
This approach is the equivalent to treating each cybersecurity requirement that crops up as one tree in a vast forest of similar requirements. Businesses are dealing with each tree on its own when they should consider the whole forest to navigate it properly.
As the old saying goes, “They can’t see the forest for the trees.”
The Cyber Security Transplant
Many of today’s businesses function on systems and processes that were created before rapid digitization and were designed without taking those implications into account.
The most common approach to addressing a businesses' cybersecurity needs is to supplement their existing systems and processes with cybersecurity solutions. Since the transplant of added security functions and requirements surpasses the original design of many of these established processes, enterprises end up with unintended and less efficient results.
Doing One Thing Well
Businesses tend to review their cybersecurity needs on an ad-hoc basis. Do we need a firewall to lock down network activity and secure our people? What about a patch management solution? Is there a vendor that can perform these functions the best and at a reasonable price?
This kind of implementation is not uncommon. It makes sense, is straightforward and there are clear results. There’s no need to fix something that isn’t broken, right?
While it is easy to fall into the practice of addressing requirements as they arise, there are drawbacks. It’s difficult to gauge the effectiveness of these solutions based on the money spent.
Without an overarching strategy, spending occurs as the need arises and does not take priorities into account. Additionally, there is a risk of deploying overly-complex systems. An enterprise that builds a cybersecurity program in this manner will eventually have disparate solutions. Any deficiencies in the system become difficult to diagnose as well.
The Knee-Jerk Response
In the two scenarios above, the spending is not only on point solutions but also reactionary. This practice of reactionary spending is a short-sighted approach that lacks strategy and leads to difficulty in gauging cost-effectiveness of the solutions needed.
Enterprises need to deal with cybersecurity holistically, and not on an ad-hoc basis. Having a proper strategy in place means having the capability to deal with challenges as they crop up.
Cyber Security is Everything
The challenge in building an effective cybersecurity program is relatively new. Enterprises recognize the need for it but approach cybersecurity as a new business component to be added to existing business processes. This should not be the case. Cybersecurity changes the way business is done and affects all business processes. Cybersecurity is everything.
Businesses that hope to implement highly-effective cybersecurity strategies need to take a step back and consider their organization as a whole and how cybersecurity affects every part of it.
The foundation of a cybersecurity strategy is built from a thorough assessment to identify an enterprise’s assets, critical business processes, and the threats to those assets and processes. A comprehensive accounting of these things will enable an accurate risk assessment to determine the priority in which those risks need to be addressed.
From the Ground-up
Armed with the knowledge gained from a comprehensive assessment, enterprises can begin to craft a strategy for their organization that takes into account the whole and not just its disparate parts. A holistic approach provides the ability to visualize how the enterprise is implementing security from end to end.
A strategy formulated in this manner will capture potential risks and prioritize them by severity, impact to the organization, cost, opportunities for solution integration, and level of difficulty to implement. These decisions are complicated and involve serious consideration, but they could not even be considered without a full picture of an organization’s risk profile.
A holistic cyber security strategy contends that cybersecurity touches all facets of a business. Under this approach, business processes would generally need to be re-designed with cybersecurity considerations integrated at the foundational level. This means designing a cybersecurity strategy from the ground-up with the ability for integration into new business processes and scalability as opposed to deploying solutions that are to be grafted onto existing business processes.
An overarching, comprehensive cybersecurity strategy also allows for the design of platforms that consist of integrated solutions, instead of point solutions. This will provide an overview of cybersecurity requirements that will enable advanced, forward-thinking spending strategies.
The Forest Emerges
With the adoption of a holistic method, enterprises become secure by design and not by necessity. Enterprises move from a fear-based approach to cybersecurity and instead begin an approach that is risk-based. Decisions are no longer tactical and short-sighted. They become strategic and insightful. Spending is no longer reactive. It becomes proactive and anticipatory.
With this new way of thinking, enterprises can begin to see the forest through the trees.