As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Andrew Hollister of LogRhythm calculates the need for risk optimization to maximize your cybersecurity budget.
As cyber-attacks increase in volume and sophistication, organizations are under pressure to safeguard themselves from compromise. The threats that will emerge over the following years will be challenging to keep up with, despite the fact that businesses are investing more than ever to protect every aspect of their infrastructure.
However, the “more is better” concept is unsustainable today due to the overwhelming number of systems needing protection and the ever-evolving cyber threat landscape. Digital transformation is expanding the threat surface faster than ever, and unless you have an enormous cybersecurity budget and endless resources to monitor all the applications, you can’t keep up.
Given the current state of our economy, organizations across all industries are taking steps to optimize budgets, and CISOs must take a targeted approach when planning their cybersecurity budget. My recommendation is to move towards a more “risk optimization” approach to ensure cybersecurity investments are guided by business outcomes.
To create a cyber strategy that accepts the right amount of risk, organizations need to move to a “risk optimization” model, which involves evaluating threats, priorities, and business investments. Aligning the cyber threat discussion with business goals makes it possible to gain access to strategic funds for cybersecurity.
The need to reevaluate cybersecurity initiatives has been fueled by the continual worsening of the cyber threat landscape alongside constrained resources. In fact, in 2021, the average number of cyber-attacks and data breaches increased by 15.1 percent. Therefore, in the midst of numerous costly cyber-attacks, businesses must figure out how to maximize the return on their cybersecurity spending. The cost of a breach is measurable, but the reputational damage to a business has no price. So, how can a business handle ongoing cybersecurity threats?
Better prevention is accomplished when organizations consolidate their solutions. A platform approach to cybersecurity solutions can help them increase the effectiveness of their cybersecurity program by preventing them from wasting time, resources, and team effort on learning multiple systems– and reduce the so-called “swivel chair” analysis where time is lost in switching from one system to another. Additionally, a consolidated platform may provide insights into threats the organization may not have otherwise been aware of.
Most organizations also realize and understand the need for a security operations center (SOC) to carefully monitor for threats around the clock but oftentimes are unable to afford a fully staffed 24/7 SOC. However, by applying a risk optimization strategy, they may be able to prioritize resources to build a SOC even with a limited budget.
Thankfully, the days of solely depending on security and IT teams for cybersecurity decisions are coming to an end. Since C-suite and board of directors are accountable for their company’s privacy, data protection, and regulatory issues, they must be involved in the discussions regarding their organization’s cybersecurity. The cyber program should be driven by the CISO’s knowledge of each leader’s top security concerns, key business goals, critical business areas, and the network and systems that support those areas. This information connects security efforts with business results and ensures that investments in cybersecurity do in fact address the major threats to a business.
CISOs can also better align with stakeholders by focusing on business outcomes rather than instead technical security tactics. The results of such a discussion will help to adjust the program and determine how much cybersecurity is necessary, as well as build confidence in the wider business that the security leader not only supports the business but also understands the business goals. Security programs need to be an enabler– either directly to the business needs or enabling the business to deliver value faster whilst remaining secure.
When security leaders speak the language of business and move towards a “risk optimization” approach, they are more likely to get a seat at the business table. This gives them a platform to inform and educate their peers at the leadership level and can alter the organizations’ perception of cybersecurity as a business solution, rather than a cost center. Once organizational priorities influence cybersecurity decisions and the focus moves away from being primarily technical to being focused on risk, the conversation about cybersecurity shifts to a more executive-level role.
CEOs want to have conversations with CISOs about budget prioritizations and spending choices based on knowledge of cyber risk in relation to organizational priorities. Therefore, CISOs need to be prepared to have that discussion. In fact, given that business and security concerns need to be intertwined, there is a compelling argument that cybersecurity leaders should report to the CEO in order to obtain the organizational influence required to fulfill their responsibilities.
With the growing and evolving cyberthreat landscape, organizations need to move away from the “more is better” model and take a more targeted approach by adopting a “risk optimization” process. Having a process that is guided by business outcomes will allow for strategic cybersecurity investments that are vital during this economic downturn.