Gartner projects that spending on information security and risk management products and services will grow 11.3% to reach more than $188.3 billion this year. But despite those expenditures, there have already been at least 13 major data breaches, including at Apple, Meta and Twitter.
To better focus security spend, some chief information security officers (CISOs) are shifting their risk assessments from IT systems to the data, applications, and processes that keep the business going.
“If you look at security from a purely technical perspective, it’s easy to get lost in, `I need to have this shiny object because everyone else has it,’” says David Christensen, VP and CISO at benefits administration software provider PlanSource. “The reality is often the most popular or well-known new security solution can waste money and slow the business, especially if it doesn’t align with business goals. And even if it helps secure one part of the business, it may not be the part of the business or business process that creates the most risk or is most important.”
Don Pecha, CISO at managed services provider FNTS, agrees, adding: “Each business unit of the company might have unique considerations, and unique compliance, regulatory, or privacy applications, and each business may have unique risks for the board or C-suite to consider.”
Frank Kim, CISO-in-residence at venture capital firm YL Ventures, and fellow at the SANS Institute, cites the case of one CISO who was fired after suggesting costly endpoint detection, and response and incident response programs considered not stage appropriate for such a startup. “Their focus was on survival and revenue growth,” Kim says. “He didn’t realise his job was not just to suggest a bunch of new security capabilities, but business enablement.
A new definition of value
Aligning security with the business goes beyond traditional methods of justifying security spend, such as warning of consequences from hacks or trying to prove ROI. For internal enterprise security teams, Kim says to accept that security is a cost centre and demonstrate how the CISO manages total cost of ownership over time. This might include updating CFOs and CEOs on specific cost reduction, such as reducing spend with a security vendor, finding a less expensive product to fill a security need, or improving internal metrics such as the average cost to mitigate a vulnerability, adds Tyson Kopczynski,SVP and CISO at financial services provider Oportun.
Christensen further suggests explaining how security can cut costs or increase productivity. For example, he says, web application firewalls don’t only protect applications but cut networking costs by reducing spurious and malicious traffic. Also, adopting zero-trust architecture and secure access service edge technologies can help boost productivity by freeing users from manually deploying virtual private networks to access resources or interrupt meetings when their VPN fails.
Kopczynski adds that CISOs can uncover such improvements with questions such as whether their organisation is using all the functions in a security tool, if those features overlap with other tools, and whether the organisation is paying too much for licenses or for too many licenses. Ways to maximise value include considering tools that perform multiple security functions, or running penetration tests, attack simulations, or offensive security campaigns that prove a tool can repel high impact attacks, he says. For example, he uses the Titaniam encryption engine to support several data protection use cases, as well as security tools provided by cloud providers such as Amazon and Microsoft. “We also look at generic cloud security solutions that provide multiple sets of protections, versus addressing one particular use case,” he says.
At global marketing agency and consulting firm The Channel Company, security considerations are deeply embedded in business strategy and budgeting, says CIO Rik Wright. This ranges from the need to meet the European Union’s GDPR to complying with security requirements from customers.
Averting threats is also part of the security value equation at the firm, which uses managed services provider GreenPages both for infrastructure and to help meet its security needs. Wright says he’s seen some companies spend potentially business threatening amounts up to $20 million after a ransomware attack, so preventing such losses, he says, represents very real value.
Understanding business needs
Aligning security spend with business needs starts with understanding what is most important to business managers.
Kim recommends using a “risk = impact x likelihood” formula, and understanding on a scale of 1 to 10 what your most important processes and assets are. “Your financial data might be a 10 but your HR data might be a seven as it’s not a business differentiator,” he says. “Just using a simple scoring rubric to your risk calculation helps to bubble up what the priorities are.”
Besides business, Christensen says CISOs must also consult IT to understand the administrative burden a new security technology might impose, and all the areas in which a security tool could be used to maximise its value. He uses the Secure Web Gateway from dope.security to not only control access, but to understand what information and Web sites users are accessing, and the potential risks they expose the business to.
Industry standard frameworks can also provide a common language and structure for risk assessment, like the NIST (National Institute of Standards and Technology) cybersecurity framework. “It’s simple enough that it’s not necessary to be a security practitioner to understand it, but it models your maturity and helps to relate that to business stakeholders,” says Christensen, adding it’s also based on industry standards rather than the CISO’s opinions, and is continually updated to reflect new risks.
Different security frameworks are best for different industries, says Pecha. “If I’m in government, I’m going to align with NIST,” he says. “If you’re a global business, use the ISO/IEC 27000 family of standards. It’s not necessary to be certified, but be compliant and understand what the controls are in order to understand your partner’s security needs as well as your own.
Scott Reynolds, senior security and network engineering manager for manufacturer Johns Manville, uses the ISA/IEC 62443 standard to create a common understanding between business managers, security experts and suppliers about common terms such as the “zones” of assets that share common security needs. “This process also shows we agree on the same level of risk for the entire zone, and not just each asset in the zone,” he says. “The weakest link in the zone will impact all the assets within it.”
Over at media creation and editing technology provider Avid Technology, Dmitriy Sokolovskiy, its CISO and CSO, uses NIST’s Cybersecurity Framework to measure the maturity of his security processes, and the Centre for Internet Security’s top security controls for specific tactical guidance, which, he says, highlight, low-hanging fruit that businesses can easily address in their infrastructure.
Applying caution with benchmarks
Several CISOs were skeptical about using benchmarks to compare their security spend with others. That’s because, they say, companies may define security spend differently or have different needs. They also say benchmarks often don’t describe how and why organisations allocate their security budgets. As a result, they use benchmarks as a rough guide to budgeting, relying primarily on their own risk assessments.
But Kim warns CISOs against refusing C-level requests for benchmarking. “It’s not unreasonable to ask for a benchmark,” he says. “A chief financial officer couldn’t say, ‘We can’t compare our earnings-per-share with others in the industry.’” Provide benchmarks, he says, but as one part of a wider explanation of how your security spend compares with others, the challenges the organisation faces, and how you’re reducing the total cost of ownership of security over time.
“CISOs should describe current threats and attacks,” says Pecha, and supply alternatives to remediate them. It’s then up to the board and the C-suite to decide what’s acceptable and what needs to be done to manage the overall risk to the business, he says, because only they have the clout to drive change.
Insisting a business executive formally accept a business risk, even in writing, often convinces them to agree instead to the proposed security spend. When Sokolovskiy has insisted such signoff, “Without fail, so far the business unit was actually driven to lower the risk themselves because they own it,” he says.
A business-focused approach can also spur efforts by security and business teams to identify opportunities to increase efficiency and save money, says Christensen, such as by eliminating redundant systems and processes. “With business alignment, you have no choice but to find unique and innovative ways to solve problems that are generated by how the business operates,” he says.