CyberSecurity for Business’ Success | Part B

Money thrown at cybersecurity without a well identified prioritization of risks versus benefits is a waste of time and resources.

By:  Michael Meline (Cyber Self-Defense CEO) & Julie Stewart

Do you say or hear this expression?   “Being a steward of the company's money, I cannot keep throwing money unnecessarily into the pit of cybersecurity!”

The blog “CyberSecurity Enabling the Business – Ditch the Checkbox Approach”explains the concept of having a Risk-Based program to handle both security and compliance.  The biggest reason for this recommended approach is the desire to both fully understand costs and eliminate unnecessary expense on the “pit of cybersecurity”.

CyberSecurity | Risk Based Approach

This Risk Based program will use the Risk Assessment and the identified, prioritized risks.  A proper assessment will deliver a “Heat Map” demonstrating the degree of risk seen by each area.  Then, the program allows for a comprehensive discussion from high to low risk, along with the cost to address each one. This process will allow the company to achieve an appropriate level of success as well as managing cost and time expectations.

Often, a very expensive tool or equipment is being used, or perhaps not even being used, but providing little no value while a high-risk category is being somewhat ignored altogether.  The only way to ensure this is not happening is for the Risk-Based Program to be created and the process to be utilized.

CyberSecurity | Manage the Risk without Breaking the Bank

Security and Compliance are risks, just like other business risks.  Using the risk assessment and the heat map prioritization of risks, a company can clearly balance rewards and penalties to the needs and objectives of the company.  This approach will give the additional resource benefits of:

Saving your sales team hours of trouble in answering the many-page vendor assessments 

• Enable a frank conversation between you and your customers about the value of your security controls; This conversation is becoming more and more frequent.
• Ensure that your employees understand the program requirements and are active participants in the program.  If they are active participants, they can drive success and identify better and more efficient ways to manage and run the program before a security incident occurs.
• Provide clear information to stakeholders.  From the investors to the Board of Directors to the most junior part of the team, all should have a stake in your security program.  Creating a communication channel for risk identification and training is critical. An established communication process allows for great decision making, not impulsive responses.  Communication changes from “We are going to get hacked" to “Server X has not been updated in xx days, creating a moderate risk that an external entity or malicious software may gain access to the data on it.”  This accurate communication ensures that the cybersecurity program is aiding in the success of the business and the cost associated with the risk is well understood.

Money thrown at CyberSecurity without a well identified prioritization of risks versus benefits is a waste of time and resources. Implementing the Risk-Based approach will allow for proper, benefit-based expenditures and will enable full transparency of spending.