Organisations cannot spend their way out of cyber risk

This is a contributed piece by Dave Polton, Chief Security Architect at NTT Security

Too many organisations are spending more on cybersecurity measures without experiencing the benefits of increased cyber confidence or capability. We are continuing to see budgets being sucked up on supporting a sprawl of technologies that are sadly leaving organisations with inflexible information security architectures that deliver little return on investment. 

The problem is that many organisations are simply trapped in a cycle of compromise when it comes to cybersecurity. Despite having a clear security strategy and investing in technology that has taken them from passive threat response to a more active approach, they remain unable to deliver greater business value and drive continuous performance improvement.


Technology challenges

No business can afford to stand still and effective cybersecurity is no different. However, understanding new approaches and evaluating, implementing and maintaining the latest innovative technology solutions can be difficult. There are three main challenges.

Firstly, it is impossible for a business to align and adapt information security decisions with its objectives unless there is proper executive awareness and engagement in structured, regular and ongoing conversations about risk. Focused investment in what really matters to each individual organisation is the only way forward for effective cybersecurity. Those that are joined up in agreeing strategic priorities and performance measures elevate the conversation about cyber risk from an appeal for technology budget to an informed, fact-based business discussion with stakeholders taking part in strategic decision making.

Secondly, security architectures have traditionally evolved piecemeal, reacting to the evolving threat landscape or compliance requirements. The result is disparate technologies that do not continuously adapt to new threats or integrate innovative approaches for taking corrective action. Whether due to lack of resources or technical know-how, many organisations are unable to maximise the functionality of their technology assets which all too often leads to duplicated investment or missed opportunities. Adding even more confusion is the extent of cyber data sources now available to businesses, makes it hard to evaluate and convert the right data into something meaningful for the business.

Thirdly, organisations often lack the external insight and benchmarking required for continuous performance improvement. As well as setting metrics against which business stakeholders can measure performance, organisations need to establish how their cyber capability stacks up in their industry and beyond. This gives them a baseline for strategic investment and improvement, however resourcing constraints can make this challenging. Security specialists are torn between strategic and tactical activities and, unsurprisingly, they find it difficult to move easily between the conflicting roles of predictive analyst and performing the core tactical, compliance and operational aspects of the security lifecycle.


A change in approach

Achieving a central, consistent contextual view of cyber risk is paramount, but it can’t be achieved out of the box. Modern businesses operate in complex IT environments, and getting to grips with the data produced by numerous platforms, systems, and devices – and turning it into insights and actionable metrics – takes more than technology alone.

Organisations can only overcome these challenges by bringing people, process and technology together within a resilient cyber defence architecture that is not only transforming their cyber capability and confidence, but demonstrating clear value to the business too.

Information security professionals need to think differently about how to achieve the best cost versus risk benefit for their organisations. This means focusing on a core architecture that delivers a shift in continuous performance improvement, which will allow them to work to better align the way they predict, prevent, detect and respond to threats.

For organisations that want to change their approach to cybersecurity, achieving a resilient cyber defence capability can appear to be a long and difficult journey – especially when they are expected to maintain business as usual. It needn’t be though. In summary, there are five steps organisations can take to make this transition:

  1. Establish a resilient cyber defence architecture in line with business objectives.
  2. Engage all relevant stakeholders to agree performance metrics and analytics.
  3. Review existing technology investments against resilient cyber defence capability to identify areas of little, low or over investment.
  4. Review existing security teams against the capability areas to understand where your skill sets need investment.
  5. Create processes that ensure information and intelligence sharing between all aspects of the model and regular governance and review points to drive continuous improvement.

By establishing a resilient cyber security architecture that is responsive to continual business change, the hostile threat landscape and the demands of evolving compliance, only then can organisations take advantage of new business opportunities without compromise.


« VMware, author of the private cloud, writes a second act


Linux Foundation exec on why Open Source is now everywhere »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?