By Chris Clements, Vice President of Solutions Architecture, CISO Global, Inc.
Over the last two years, digital transformation has accelerated at breakneck speed, opening new lines of business that meet user demand. Reality is, online banking, order-ahead meals, telehealth appointments, and online grocery shopping are no longer optional. Users expect these to be available 24/7, so any business that wants to compete and values customer loyalty needs to digitize its services as much as possible. However, as any security expert can tell you, digital channels do more than improve user experience—they may also introduce cyber risks big enough to potentially shut down operations and eat into profits. So, investing in cybersecurity program should be just as crucial to your business strategy as investing in new digital revenue channels. At the same time, it’s no secret that some cybersecurity initiatives can be much more costly than others. Given this how do you answer executives and boards who want to know what they’re getting for their money?
In a perfect world, everyone would have well rounded investments in all areas of cybersecurity, but business realities often dictate that tradeoffs must be made. The concept of “Min-Maxing”, or prioritizing limited resources in a goal-oriented way by putting big investments in the highest return initiatives and looking for ways to achieve minimum viable protections in others can help deliver results even when times are lean financially. As opposed to spreading scarce resources thinly but evenly and arriving at a situation where none are very effective, the min-max approach takes a strategic approach to accomplishing your cybersecurity goals. While it would be great to have the latest shiny next-gen, AI powered widget, it’s possible that better results can be had from investing in lower cost if higher effort initiatives such as proactively system hardening and architectural segmentation, or forgoing building an internal Security Operations Center (SOC) to respond 24/7 and instead investing much less into an outsourced fractional SOC as a Service. To decide which are most important for you, consider these three key business opportunities for your cybersecurity program:
Maxing Part 1: Increase Top Line Revenue
Introducing new offerings, lines of business, or simply launching new digital versions of existing ones is an opportunity to generate more revenue by reaching more customers more efficiently, but they can be completely derailed by cybersecurity attacks. It’s generally true that despite the best laid plans, new launches have unavoidable immaturity and growing pains. These can come from usability issues, unexpected scalability challenges, but especially from cybersecurity threats. A breach that exposes customers’ information can quickly sour them on new services, and attacks that cause outages keep them from generating business at all. Focusing on cybersecurity readiness pre-launch with risk assessments, code reviews, and penetration testing can dramatically reduce the potential that your new revenue source turns into a cost center overnight.
Maxing Part 2: Preserve Existing Lines of Revenue
It’s simple math: as long as your systems aren’t shut down by ransomware or leaking customer data to the dark web, they can continue to generate revenue. Whether you’ve rolled out a digital shopping apps, a fintech, online payment interface, or even a remote management software (RMM) that speeds up IT support for vital business units, ROI from functioning revenue generation channels is self-evident. You get to continue doing business digitally, and digital business makes money. If any of these applications becomes an avenue for attack, associated revenue generation ceases. Protecting yourself with a vendor management program, security monitoring, and other compensating security controls helps ensure your ability to keep making money.
Min-ing Part 3: Decrease Bottom Line Expenditures
- Security After the Fact Is More Expensive
The most expensive way to “do” cybersecurity is to try to lock down an environment that was built with only functionality in mind. The reason for this is that digital function and collaboration, if built in a vacuum, are best enabled by open platforms built for maximum user access and speed, without the “slow-down” of security-related processes such as “patching Tuesdays,” complex logins, access compartmentalization, etc.
Conveniently for attackers, open access also means your system is wide open for them to launch an undetected attack that can bilk your organization for millions of dollars, or level a show-stopping attack just for the fun of it, or worst-case scenario, shut you down for good. Inevitably, you will either experience a hack that convinces you—it’s when, not if your company will be attacked—or if you’re lucky, an expert will explain to you before you are hacked, that you need to go back and reconfigure your network to lock down those systems.
- Course Corrections Are Costly
Not surprisingly, course correcting is far more expensive than designing your system with built-in security from the beginning. Course corrections cause productivity slow-downs and often mean hiring outside consultation and/or investing in new technologies.
- Why not just design your systems to be secure from day one?
Always make cybersecurity a part of your system designs and updates, but with minimal friction to operations. Including cybersecurity experts in user-centric, security-first, design thinking alongside business, IT, and compliance leaders will help ensure the proper approach to “security that works”. A 2023 report from Gartner encourages:
Through the implementation of human-centric design, security programs become adaptable and woven into the digital design of organizations. This can initiate a virtuous cycle of risk-aware decision making between cybersecurity professionals, operators, and developers of IT systems, and the business users driving requirements, as each team increases awareness and sensitivity to each other’s design considerations.
- Take Care of Your IT-Security Teams, but Plan for Churn
These Jobs Are Really, Really Stressful
Amid the Great Resignation, IT and cybersecurity teams are among those taking serious hits. Even technology companies are cutting back on “nonessential staff” during an economic downturn and impending recession.
But when it comes to technology, do you really have nonessential staff? Even pre-pandemic Forbes noted that 1 in 6 CISOs was turning to alcohol or medication to help take the edge off of stress, because it’s such a mentally taxing role. How much more prevalent is this reality in 2023? Cybersecurity leaders know that cyberattacks are inevitable, yet 33% of those polled said that they’d be blamed and potentially fired if their organization experienced a major attack.
Now, consider how understaffed these teams are, even more so after ongoing cutbacks and resignations. The result? By 2025, nearly half of cybersecurity leaders will change jobs, with 25% of them leaving cybersecurity completely due to work-related stress (Gartner, 2023). This isn’t doing much to mitigate ongoing workforce and talent gaps.
Make sure you treat your IT and security teams well, because they have no shortage of job openings in a market where there is literally a ZERO unemployment rate for cybersecurity experts.
Consider Partial Outsourcing to Prevent Turnover Losses
CISO Global serves clients of all sizes, many of whom have full cybersecurity and IT teams but retain us to help them mitigate the reality of turnover at the top. As one CISO client puts it,
I train my teams to work on customary platforms we’ve built, or other nuanced systems we need to run our health tech business, but managing the rest of our network takes expertise too. If I lose someone, it’s months of slowdowns before I can hire a new person, then train them and get them up to speed. With CISO managing part of my network, I have zero disruptions in those areas. If someone on their team gets sick or is out of the office, they can just grab the next person to handle a task, because whole teams are familiar with my environment. I experience zero slowdown no matter what happens. Same thing with our security teams…
CISO helps me mitigate the risks and costs associated with churn, and my whole environment is secure by design, managed by cybersecurity experts.
If you have a question or would like to talk to an expert about min-maxing your cybersecurity program, please reach out to us here. We’re ready to help!