A recent survey conducted by Accenture revealed that 80 percent of Australian businesses believe that their cybersecurity investments are failing. This shouldn’t be too big a shock: organisations have felt that their cybersecurity tech isn’t up to scratch for a long time. In many cases, this isn’t an exaggeration. There are fundamental problems with the way that many organisations approach and measure cybersecurity, problems that are being compounded by new cloud services and third-party networks fragmenting the hybrid environment and, more recently, with the move to remote working expanding the size of the attack surface.
The problem with ROI
For organisations to claim that their cybersecurity strategies are failing, they first need to have an idea of what success looks like. If they’re measuring the success of their cybersecurity programme with the same metrics that they do with other parts of the business — like sales, marketing, customer service, etc — they will end up with distorted perceptions.
ROI is a legitimate concern for all businesses. Any outlay, whether big or small, is made with an understanding that it will eventually pay out. As the need for cybersecurity investment increases – 62% of firms have said that they plan to increase cybersecurity spending in 2020 – businesses are naturally going to want to see a return on their investments.
While cybersecurity tools do deliver on ROI, it’s difficult to measure. The financial value that they offer is often rooted in the fines and ransoms that the business hasn’t been subjected to. The failures of any cybersecurity tool are obvious when a business falls victim to an attack, but the success of any preventative measures can go unnoticed. A successful cybersecurity programme is a silent one.
Investing in technology alone will lead to failure
While this may sound antithetical to fiscal-minded leaders, cybersecurity success shouldn’t be defined by ROI. This is a foundational mindset that needs to inform the motivation behind cybersecurity investments. Businesses need to stop buying technology that solves specific cybersecurity issues — investing in an isolated solution and expecting it will cure their security problems while delivering on profitability is a strategy that’s doomed for failure. Decisions, instead, need to be centred on investing in technology that integrates with the wider security ecosystem and can be used to provide focused protection while addressing the organisation’s overarching cybersecurity needs.
Organisations that invest in technology over processes are constantly chasing their tails. The lifespan of development and technology stack cycles is a key factor behind the failure of many cybersecurity programmes. We’re operating in a world that is constantly evolving. Look at cloud services — even two years ago, they hadn’t attracted anywhere near the level of attention that they are today. Now, cloud adoption has happened so rapidly that everyone is already moving on to pushing these services and associated cloud workloads to applications. This alone has brought about a whole new breed of cybersecurity issues.
If an organisation still chooses to simply invest in point products to address these problems, they’re going to find themselves stuck in a never-ending cycle and they will be unable to achieve the levels of security that they need. And by the time the point product is installed – usually after waiting a long time for it to go through production and deployment – its use could already be outdated. This short-term view used by many to fix their cybersecurity pains will only ever lead to failure, both in terms of an inability to deliver ROI and to better secure the organisation as a whole.
Build success by creating a security ecosystem
By switching from reactively investing in point products and focusing instead on developing a scalable and sustainable cybersecurity ecosystem, organisations will be better positioned for success. Developing effective processes may be much harder than making quick-fire technology investments, but when security teams can achieve visibility over their entire hybrid infrastructure, introduce automation that frees up resource to secure new digital transformation initiatives, and actively remediate their most exposed vulnerabilities, then they will create a fully integrated cybersecurity programme that is demonstrably successful.
If silence is the measure of cybersecurity success, then noise – attacks, exploits, panic- is the hallmark of failure. The security team must limit this noise so that it doesn’t reach the boardroom. It’s also their responsibility to communicate how well they are performing at keeping out threats and to demonstrate success by being able to support the business’s wider digital transformation goals.
It’s impossible to achieve a fully secured environment. But getting to a stage where longer-term strategic investments can be made to prevent future spend, reduce the need for unnecessary spend on additional point products, improve security posture, and even tangentially increase ROI is fully possible, completely achievable, and wholly necessary.
>> How will Covid-19 impact digital transformation? – Looking at how short-term changes are going to have a long-lasting impact on the way that organisations work
>> The Covid-19 shift: Securing a large, remote workforce – How to instil best-in-class security practices that will help your business to navigate the pandemic
- This article was written by Uri Levy, the vice president of business development at Skybox Security, where he leads strategic business initiatives with key partners including global OEMs, large service providers, MSSPs and cloud providers. He has served various roles at Skybox and has been instrumental at developing business in key markets. Over the last decade, Levy has built and managed leading network security integrators such as CA and NetCom Systems, consistently achieving sustained growth and brand leadership for their products and services. He also served as vice president of sales and marketing at Xpert Integrated Systems. Levy earned his BSc in computer science from the Interdisciplinary Centre in Herzliya and executive MBA from Tel Aviv University.
- This promoted content was paid for by the party concerned