Oct 05 2015

How Much Cybersecurity Do You Need?

With data breaches going public daily and an endless amount of threats being present to nearly every organization, executives are left looking for answers. Can you defend against every threat to your organization? More importantly, is it possible to identify them all on a continual basis? The truth is that you don’t defend against every single threat. You can’t even try or it would burn a hole in the organizations budget faster than you can imagine.

In order to be effective, information security needs to be intrinsic to your corporate strategy. Risks need to be managed consistently with that corporate strategy, and tough decisions will need to be made in mitigating identified vulnerabilities.

Let’s take a quick look at the four different ways executives can handle risks:

  • Transfer – An attempt to offload a portion of the risk (Insurance, Hosted Services, etc.)
  • Avoid – Removing the asset or business function the risk originated from
  • Reduce – Implementing a mitigation strategy to reduce the level of risk
  • Accept – The informed decision to accept the risk based on extensive analysis

Each risk should be analyzed individually before one of these four decisions is made. Often times the cost of impact verses the cost of mitigation plays a large role in the decision making process. With that being said, a lot of time and effort should go into the decisions being made regarding risks in order to ensure they are the right ones. If you haven’t heard the statement before, companies have to get security right every time – an attacker only has to get it right once.

Bringing cybersecurity into your corporate strategy requires great leadership and a mature methodology of assessing one’s risk. Marketing, sales, cybersecurity and more should be built to support the primary strategy, rather than standing alone. Risk management needs to be a top-down approach for all areas of the business in order to address vulnerabilities.

What is an effective approach to this problem? Ask your CISO?

An effective approach to determining the amount of cybersecurity needed within your organization should start with a high level of expertise AND experience. Cybersecurity companies and Chief Information Security Officer (CISO) leadership can be found through either internal acquisitions or a consultative approach (aka on-demand CISO services). A strong working relationship between your cybersecurity firm and senior management will almost always drive the risk management plan towards exceptional results. If you don’t have a CISO, or don’t know how you’d utilize one full-time, don’t hire one yet. Instead bring in a cybersecurity firm that can help scope your risk and determine a balanced, affordable solution.