What, exactly, is the value of the data held by your organisation and how does that value justify and inform your security spend? It’s a question that’s increasingly rising to the top of the practising Chief Information Officer’s (CIO) list, not to mention that of the Chief Information Security Officer (CISO), as Spencer Young duly discovers.
As the CISO increasingly moves towards the Boardroom, they need to be able to justify their spend to the CEO and shareholders. If security spend has become an indiscriminate affair with a focus on securing the perimeter at all costs, but with no insight into how the company benefits, the financial case for investment is likely to face stern challenges and pretty quickly.
For many years, the prevailing attitude has been that, in the face of an indistinct enemy, buying too many systems was a better bet than buying too few. All the salesmen had to imply was that this backdoor could be the one that brought your company down if you didn’t seal it and the purchase would be rubber-stamped. Over time, however, that approach has led to the development of huge and unwieldy systems that cost a small – or even a large – fortune to run.
Part of the reason for this steady build-up of indiscriminate spend is that cyber security used to be the preserve of ‘technical’ staff whose first priority was the security of the company, not balance sheets. In the last five years, however, it has risen steadily up the chain of command until it reached its present position on the Board’s plate. Those technical staff now have to justify spend in terms of business benefit, not technical specification.
The business case
The fact is cyber security is now a major business threat. It has become the most significant continuity risk in business and more disruptive than strikes, hurricanes and terrorism. Commerce is relentlessly digital, and it’s predicted that data flows will be worth more than the international trade in physical goods within the next ten years. Information is money, and that means cyber crime is no longer just a hobby for spotty teenagers or a bogeyman for weird-beard technophiles. Rather, it’s a big and polished enterprise.
As a result, the CEO now needs to understand the top-level detail of the company’s cyber security stance. The CISO has a very valid case to bring – intelligent investment in cyber security directly offsets the potential financial risk of a breach. In other words, security investment is still essential, but it now needs to be intelligently directed and informed by a detailed risk analysis based on the data in play.
This is the concept of ‘risk buy-down’, but to quantify it, the CISO must have deep insight into the data the company holds, being able to categorise it and work out the potential risk to the company. Only then can they present a truly accurate case for spend to the Board.
Use data to analyse risk
Advanced analytics should be at the heart of security planning. CISOs looking to present a new security investment strategy to the Board should begin by undertaking a deep and granular review of the data that resides in or passes through the organisation’s systems. How much is proprietary and, of that, what should be classified as secret or high value? This information should be graded in a risk-to-cost structure, identifying which information would carry the greatest financial penalty for the company if it were breached.
In the same way, the review should seek to identify personally-identifiable information belonging to third parties, and customers in particular. As concerns around personal privacy have escalated in recent years and legislators have responded with regulations like the General Data Protection Regulation (GDPR), the need to preserve the security of third party data has taken on a vastly augmented financial dimension. The hefty fines attached to GDPR infringements mean that a poorly-constructed cyber defence could end up very quickly becoming the CEO and CFO’s problem in the case of a breach.
In short, granular data analysis is an essential first step when building a security investment case. The more you know about the data you’re holding, the more accurate your cost/benefit analysis will be, the more intelligently you can plan the systems you implement and the more likely the Board is to get on board.
Win over the Board
The key point here is that security budgets now need to match the wider financial concerns of the business. By demonstrating the role cyber security can play in protecting the financial health of the company and helping it to mitigate against a major continuity risk, CISOs can not only secure the budget their teams need, but also begin to take on a more consultative, value-add role in the business.
For example, an increasingly large majority of companies rely on some form of digital infrastructure for the day-to-day functioning of the business, whether it be an e-commerce site, a digital partner portal or an automated production line management platform. Given the strategic importance of such infrastructure and the data that resides within it, the CISO now has an important role to play in consulting on the design and implementation of front line business systems.
Whatever the use case and whatever the organisation, CISOs need to focus on the data when making the case for cyber security investment. Value resides with the data, not the system in which it resides. A data-centric cost analysis – and a data-centric security system – are the best way to guarantee your organisation has the defence it needs.
Spencer Young is Regional Vice-President for EMEA at Imperva