Enterprises are investing more in cybersecurity than ever before, but we’re also seeing a record number of breaches. More than 5.1 billion pieces of personal information were reported stolen last year, and the average cost of a breach has climbed to $4.35 million.
Have the threat actors really become that good? Or is this a business failing?
It can’t be denied that cyber criminals have become more organized, and more advanced tools and tactics are increasingly accessible. But the real reason all those billions of dollars aren’t making an impact on the number of breaches is that, often, the money isn’t being spent in the right way.
There is a huge market of quality solutions out there looking to solve cybersecurity problems, but simply throwing cash at them ultimately won’t make a difference in security standing. Solutions must be properly implemented to really help solve the problem.
This is where the concept of operationalizing security comes in.
Tying security to core business foundations
Every business needs to deliver on several core foundations to be successful.
This includes the business culture – the set of values that brings everyone together and makes them want to work there – and the accountability each person has for their role.
Then there are the processes of the business’ operations, and the resources that enable them – all increasingly facilitated by automation. And finally, all business activity needs to produce measurable outputs.
All of this comes together to form the organization’s strategy – the North Star that gives it purpose and defines its direction.
Cybersecurity is a unique proposition as it ties into every one of these core foundations. Ultimately then, no security strategy can succeed unless it has those elements in place.
Bringing cybersecurity in line with business metrics
The first step toward operationalizing cybersecurity is to start thinking of it just like any other business investment. There is an unfortunate tendency for cyber spending to be almost random, with no target in mind. Naturally, this also means there is little in the way of effective measurement on performance and results.
It’s hard to imagine any other business element functioning in this way, especially with a perpetual spending increase.
Imagine a sales director asking to double their team’s headcount, but a year later this investment hasn’t led to any increase in revenue. Most firms would promptly show the sales director the door.
Yet when it comes to cybersecurity, most companies will continue to pump money into new solutions without a clear idea of whether their security posture has improved. Indeed, many organizations lack the meaningful metrics to gauge whether their investments are showing any returns at all.
So, measurement must be a top priority for operationalizing security. The metrics to achieve this need to be focused on reducing risk. Firms need to have a solid idea of what they are trying to protect with each security element they budget for, and why.
Enterprises need to identify what business functions would be most impacted by a breach, and the effect such an incident would have on business operations. Based on this understanding, firms can work backwards and construct a security strategy geared around mitigating these high priority risks.
For other business elements, enterprises know which levers to adjust when it’s apparent an element of their operation will make a loss. Some risks you mitigate, some you accept, and some you transfer – and this same thought process needs to be applied to cybersecurity.
Culture and accountability are key
As firms build awareness of their cyber risk priorities, they should also become familiar with their maturity levels. This isn’t a single measurement, but rather applies to each of those core foundations – culture, accountability, processes, resources, automation, and measurement.
A business can be more mature in its application of cyber risk in one area than it is another. Perhaps it has established successful automation but lacks accountability. Or vice versa.
While some business aspects are easier to define, others are more nebulous. Culture is often a somewhat vague notion in the context of security, and accountability is likewise often undefined outside of specific security roles.
A useful approach here is to establish the various personas that have a stake in security across the organization and create a cultural scorecard for each. More important stakeholders such as the executive leadership should have a higher maturity level, while it’s not as important for the more general workforce. If it’s apparent that a department is below the level of maturity and accountability you need, it’s time to start implementing measures such as training to improve things.
Adapting business culture is never a quick fix, so firms should expect this to be a gradual process that takes at least 12-18 months.
At the same time, businesses can start implementing solid metrics to effectively track the return on investment (ROI) of their solutions. Security key performance indicators (KPIs) should be firmly tied to business impact in a way that non-technical leadership and stakeholders can relate to.
Mean time to resolve (MTTR) is one of the most useful examples. In a cyber context, it means the time between identifying a threat or vulnerability and closing it. But it’s also well understood in a broader context for other business issues.
Breaking out of the cybersecurity spending loop
It’s become very apparent that skyrocketing cybersecurity spending is not enough in the face of equally skyrocketing security risk. This approach is unsustainable – especially as business technology itself has swiftly transformed in the last few years with factors like cloud migration and remote working.
To paraphrase Einstein: We can’t solve problems by using the same kind of thinking we used when we created them.
Rather than simply increasing their budgets for yet another year, enterprises need to take a step back and start operationalizing their security. By tracing cybersecurity’s connections to their core business foundations, firms can begin ensuring that their investments are delivering real results in reducing their risk exposure.