The number of the risk: CEO – have you calibrated your security investments with your business risks?
“After very careful consideration, sir, I've come to the conclusion that your new defense system sucks."
I am quite certain that you, as the CEOs, or CFO, or the ‘money guy’ in your company, have heard something like this quote (by the fictional General Beringer in the movie WarGames) from your security geeks. Followed by a request for more budget to buy the latest NGFW or somesuch.
The request may be driven by a need to gain peer respect with the latest gizmos. Or it may be driven by the need to upgrade an important piece in the overall security puzzle.
Do you know which it is? Moreover, do you need to know how this request aligns with your business risks and the security needs they present?
Organizations, their operations, IT systems and ecosystems are increasing in complexity. And the pace of the changes driving this is accelerating. The end result is, cybersecurity today is so complex an entity that a multi-dimensional and holistic approach is required.
What you really need is to understand how you can best calibrate your security investments with your business, or operations, risks. In cybersecurity, as all other areas of investment, you get what you pay for. If you overestimate your risk levels, you will be investing in security until the cows come home. If you underestimate your security risks, your protection will be too light.
Think of you home; do you live in a hermetically sealed vault underground and drink only filtered water? Or do you leave for work with your windows open and your door held shut by a broom instead of a lock?
On the surface, the process is perhaps obvious. Map what the security related organizational and business risks are that you are facing. Evaluate those risks; how likely are they to materialize, and how big an impact do they have on your operations, short and long term. As noted by my esteemed colleague and expert Jari Pirhonen, security investments need to have solid grounds, and be optimized. No point or product based isolated solution over solution approaches, but right sized investments based on business risks.
Citing another colleague, Timo Ahomäki in a recent blog post used the GDPR as an example. Many smaller companies have very likely decided to postpone the regulatory upgrading of their systems. The reason is, if I am a small barber shop, what are the odds of me being raided by the privacy police?
“Let him who hath understanding reckon the number of the beast” – the beast in this case being security investments. You, as the finance decision maker of your organization, need to have the understanding of these risk numbers. Have a full view, demand to have a full view, into your security risks. Understand them, balance them against your operations, and invest accordingly and wisely. Not too little, not too much.
As a first step, reach out to your CISO or CIO for a chat on this topic. As a second step, if you need further assistance from a trusted third party, reach out to me or anyone of my colleagues in Tieto Security Services.
Head of Tieto Security Services