Investing in Enterprise-wide Security
James M. Myers B.S., MS., CCISO, CISSP
Does your organization view spending money on information systems security (cybersecurity) as an investment, a financial burden, or an unjustified cost of doing business? Is your security budget directed primarily to the Information Technology (IT) department? Realizing that business operations security is a business issue and not just an IT “thing” has become the new cybersecurity paradigm. This new operating paradigm requires business executives to seriously think about how they’re going to secure the entire enterprise. A new “holistic” approach is needed. This holistic approach requires an enterprise-wide security investment in people, process, and technology.
How to Think About Cybersecurity Investments
The most critical thought about securing the entire enterprise is acknowledging that technology is not the panacea to solving all security issues. Imagine how many companies worldwide had implemented security solutions through their IT department only to realize their network systems had been breached by a criminal element? A higher level of thinking in cybersecurity leadership is needed to effectively thwart future financial losses. Below are some questions to promote critical thinking prior to investing in cybersecurity solutions:
- Is my cybersecurity investment supporting the business’ strategy, goals, and objectives?
- How much inherent and residual risk is the business willing to accept?
- How much annual security budget do I need to address the level of risk and why?
- What are the people skill sets, business processes, and technologies that need funding?
- What are the most to least critical people, business processes, and systems that make up daily operations inside the business?
People Component of Cybersecurity Investing
The new reality in today’s business environment is that everything is electronically connected. The plethora of wired and wireless connections has created a fast moving and ever changing security landscape (posture). This new posture requires critical thinking that challenges the status quo of existing security solutions. The increased complexity of enterprise technologies requires a village of people to secure it. In other words, there is no single individual that has all the answers nor can they solve all the security problems. The new business enabled security leader must be able to guide, direct, and help enrich everyone across the enterprise with a security investment mindset. This is the holistic human capital approach to mitigating the constant threat of network systems breaches or loss of critical Intellectual Property (IP).
Process Component to Cybersecurity Investing
The move to cloud computing and storage has changed how business processes support daily operations. Businesses IP is now being stored and managed by third party companies. This creates new business processes that reside outside the core boundaries of brick and mortar companies. These processes must be analyzed and assessed for their level of criticality to support daily operations. Cloud enabled processes may require High Availability (HA) data links with strong security such as Multi-Factor Authentication (MFA) and encryption techniques. Investing in cloud services is a security paradigm that requires a serious look at business processes and how to secure them. This includes all data links to/from vendors, customers, contractors, and remotely connected employees.
Technology Component to Cybersecurity Investing
The cybersecurity vendor community has exploded in numbers since 2012. Worldwide spending on cybersecurity products and services is predicted to eclipse $1 trillion for the five-year period from 2017 to 2021. There will be plenty of security technologies for security executives to analyze and assess. There is enhanced opportunity to purchase and implement tomorrow’s security technologies into today’s operating environments. Out with the static and signature based solutions and in with the new Artificial Intelligence (AI), Machine Learning (ML), and User Behavior Analytic (UBA)/User Entity Behavior Analytic (UEBA) solutions. Each of these solutions requires advanced mathematical algorithms to effectively assimilate multi-vectors of input data. The intent is for machines to assist with analyzing real-time security incidents, thereby decreasing security investments while increasing information systems data reliability with an effective security posture.
Holistic Approach Value
There are minimum requirements for protecting company IP and critical data. This is the technology-only approach to solving the complex task of effectively securing the entire enterprise. Given the number of successful security breaches over the past five years, it’s safe to say that change is needed. The holistic approach to cybersecurity will:
- Provide a stronger defensive security posture across the company’s information systems
- Encompass a greater knowledge of security practices across the entire employee body
- Allow executives to make well informed security enabled decisions
- Help to protect the company’s brand, image, financials, and intellectual property
Taking a holistic approach to invest in people, process, and technology can provide the needed foundation for securing the enterprise today and in the future.