Cloud Hosting

Gartner projects that spending oninformation security and risk managementproducts and services will grow 11.3% to reach more than $188.3 billion this year. But despite those expenditures, there have already been at least 13 major data breaches, including at Apple, Meta and Twitter.

To better focus security spend, some chief information security officers (CISOs) are shifting their risk assessments from IT systems to the data, applications, and processes that keep the business going.

If you look at security from a purely technical perspective, its easy to get lost in, `I need to have this shiny object because everyone else has it, says David Christensen, VP and CISO at benefits administration software provider PlanSource. The reality is often the most popular or well-known new security solution can waste money and slow the business, especially if it doesnt align with business goals. And even if it helps secure one part of the business, it may not be the part of the business or business process that creates the most risk or is most important.

Don Pecha, CISO at managed services provider FNTS, agrees, adding: Each business unit of the company might have unique considerations, and unique compliance, regulatory, or privacy applications, and each business may have unique risks for the board or C-suite to consider.

Frank Kim, CISO-in-residence at venture capital firm YL Ventures, and fellow at the SANS Institute, cites the case of one CISO who was fired after suggesting costly endpoint detection, and response and incident response programs considered not stage appropriate for such a startup. Their focus was on survival and revenue growth, Kim says. He didnt realize his job was not just to suggest a bunch of new security capabilities, but business enablement.

Aligning security with the business goes beyond traditional methods of justifying security spend, such as warning of consequences from hacks or trying to prove ROI. For internal enterprise security teams, Kim says to accept that security is a cost center and demonstrate how the CISO manages total cost of ownership over time. This might include updating CFOs and CEOs on specific cost reduction, such as reducing spend with a security vendor, finding a less expensive product to fill a security need, or improving internal metrics such as the average cost to mitigate a vulnerability, adds Tyson Kopczynski,SVP and CISO at financial services provider Oportun.

Christensen further suggests explaining how security can cut costs or increase productivity. For example, he says, web application firewalls dont only protect applications but cut networking costs by reducing spurious and malicious traffic. Also, adopting zero-trust architecture and secure access service edge technologies can help boost productivity by freeing users from manually deploying virtual private networks to access resources or interrupt meetings when their VPN fails.

Kopczynski adds that CISOs can uncover such improvements with questions such as whether their organization is using all the functions in a security tool, if those features overlap with other tools, and whether the organization is paying too much for licenses or for too many licenses. Ways to maximize value include considering tools that perform multiple security functions, or running penetration tests, attack simulations, or offensive security campaigns that prove a tool can repel high impact attacks, he says. For example, he uses the Titaniam encryption engine to support several data protection use cases, as well as security tools provided by cloud providers such as Amazon and Microsoft. We also look at generic cloud security solutions that provide multiple sets of protections, versus addressing one particular use case, he says.

At global marketing agency and consulting firm The Channel Company, security considerations are deeply embedded in business strategy and budgeting, says CIO Rik Wright. This ranges from the need to meet the European Unions GDPR to complying with security requirements from customers.

Averting threats is also part of the security value equation at the firm, which uses managed services provider GreenPages both for infrastructure and to help meet its security needs. Wright says hes seen some companies spend potentially business threatening amounts up to $20 million after a ransomware attack, so preventing such losses, he says, represents very real value.

Aligning security spend with business needs starts with understanding what is most important to business managers.

Kim recommends using a risk = impact x likelihood formula, and understanding on a scale of 1 to 10 what your most important processes and assets are. Your financial data might be a 10 but your HR data might be a seven as its not a business differentiator, he says. Just using a simple scoring rubric to your risk calculation helps to bubble up what the priorities are.

Besides business, Christensen says CISOs must also consult IT to understand the administrative burden a new security technology might impose, and all the areas in which a security tool could be used to maximize its value. He uses the Secure Web Gateway from dope.security to not only control access, but to understand what information and Web sites users are accessing, and the potential risks they expose the business to.

Industry standard frameworks can also provide a common language and structure for risk assessment, like the NIST (National Institute of Standards and Technology) cybersecurity framework. Its simple enough that its not necessary to be a security practitioner to understand it, but it models your maturity and helps to relate that to business stakeholders, says Christensen, adding its also based on industry standards rather than the CISOs opinions, and is continually updated to reflect new risks.

Different security frameworks are best for different industries, says Pecha. If Im in government, Im going to align with NIST, he says. If youre a global business, use the ISO/IEC27000 family of standards. Its not necessary to be certified, but be compliant and understand what the controls are in order to understand your partners security needs as well as your own.

Scott Reynolds, senior security and network engineering manager for manufacturer Johns Manville, uses the ISA/IEC 62443 standard to create a common understanding between business managers, security experts and suppliers about common terms such as the zones of assets that share common security needs. This process also shows we agree on the same level of risk for the entire zone, and not just each asset in the zone, he says. The weakest link in the zone will impact all the assets within it.

Over at media creation and editing technology provider Avid Technology, Dmitriy Sokolovskiy, its CISO and CSO, uses NISTs Cybersecurity Framework to measure the maturity of his security processes, and the Center for Internet Securitys top security controls for specific tactical guidance,which, he says, highlight, low-hanging fruit that businesses can easily address in their infrastructure.

Several CISOs were skeptical about using benchmarks to compare their security spend with others. Thats because, they say, companies may define security spend differently or have different needs. They also say benchmarks often dont describe how and why organizations allocate their security budgets. As a result, they use benchmarks as a rough guide to budgeting, relying primarily on their own risk assessments.

But Kim warns CISOs against refusing C-level requests for benchmarking. Its not unreasonable to ask for a benchmark, he says. A chief financial officer couldnt say, We cant compare our earnings-per-share with others in the industry. Provide benchmarks, he says, but as one part of a wider explanation of how your security spend compares with others, the challenges the organization faces, and how youre reducing the total cost of ownership of security over time.

CISOs should describe current threats and attacks, says Pecha, and supply alternatives to remediate them. Its then up to the board and the C-suite to decide whats acceptable and what needs to be done to manage the overall risk to the business, he says, because only they have the clout to drive change.

Insisting a business executive formally accept a business risk, even in writing, often convinces them to agree instead to the proposed security spend. When Sokolovskiy has insisted such signoff, Without fail, so far the business unit was actually driven to lower the risk themselves because they own it, he says.

A business-focused approach can also spur efforts by security and business teams to identify opportunities to increase efficiency and save money, says Christensen, such as by eliminating redundant systems and processes. With business alignment, you have no choice but to find unique and innovative ways to solve problems that are generated by how the business operates, he says.

Read more:
Why IT leaders are putting more business spin on security spend - CIO