Amid political headwinds and economic uncertainty, we are in a challenging time for business. The economy is affected by the combination of persistently high inflation and limited GDP growth. Meanwhile, supply chains are being disrupted by international conflicts (e.g. Ukraine, Gaza and the Houthi uprising) and the ongoing impact of Brexit. And so companies are pulled in multiple directions due to economic pressure and uncertainty – the two things they hate most. Because of these challenges, it’s safe to say we are experiencing a cost of doing business crisis.
This crisis has left cybersecurity teams facing pushback from decision makers on new investments. Due to the instability that causes spending decisions to be postponed, they are confronted for the first time with ‘in real terms’ or even actual cuts. This forces them to be as agile as possible to continue to respond to the evolving security landscape, as classic market forces – the evolving threat landscape, increasing digital transformation, increasing regulatory reforms and the ongoing skills shortage – mean that security teams are being asked to deliver more with less. So the knee-jerk reaction of ‘salami cutting’ costs, let alone doing nothing at all, is simply not an option.
To maintain an appropriate level of security, finding a way to continue protecting their business will be an uphill battle. Security leaders must find new ways to demonstrate the value of the investment decisions they pursue.
British product manager Orange Cyberdefense.
Security as a topic for enterprise risk management
Any organization that fails to protect its sensitive digital assets against today’s increasingly sophisticated cyber threats will pay a high price. According to our recent Security Navigator report, there was a 46% global increase in cyber-attack victims by 2023.
A major contributor to this is the tendency for companies to view security merely as a checkbox on their compliance list, rather than addressing it as part of a broader (and consistent) enterprise risk management strategy. This implies a lack of communication, with the C-suite not fully understanding how security delivers value across the organization.
However, cyber resilience must start in the boardroom, with organizations closely aligning cyber security with their business objectives. Achieving this will require better collaboration between CISOs, security and the broader leadership team to better understand internal security needs and how they can support business goals by defending their most important assets and maintaining ‘business as usual’ in case of attacks.
Therefore, board meetings should regularly address security as a topic of enterprise risk management, emphasizing the importance of partnerships and collaboration between the board and security teams. They can do this by ensuring they understand their business leaders’ risk management strategy, working to quantify the security risk they face, and presenting security decisions in terms that help the board frame this security risk in light of their risk appetite. This will enable security experts to advise on how to most strategically allocate budgets and enable open discussions about the inherent risk versus cost challenges posed by potential cyber incidents.
Always relate to the business strategy
Our research also shows that large enterprises were responsible for 40% of security incidents last year. With more stakeholders, these organizations often struggle to take on multiple perspectives, which can make the alignment between business operations and security more difficult. Security leaders must focus their activities and investments on the most critical risks that are most contextually relevant. Otherwise, they risk boiling the ocean, reducing the impact of their purchasing power by diluting focus.
A lack of business focus on security strategy can cause organizations to miss out on adopting new tools and technologies that could provide a competitive advantage. For example, at our annual Summit in November, an informal conversation between partners and customers revealed that only about a quarter of security leaders in attendance had enabled ChatGPT for their staff, while the remainder indicated it was blocked for security reasons. Companies that can find a way for security teams to safely enable such technologies will reap the benefits and give themselves an edge over their competitors.
To overcome this problem, security teams must learn how to “do business with the business.” This means we understand what the wider business community is struggling with and, crucially, we can explain how they can support this. To achieve this, it is crucial to make new tools ‘secure by design’, as solutions that both improve security and maintain usability can help gain a competitive advantage. However, this depends on security teams being involved in new projects from the start so they can demonstrate their value to business initiatives.
Unfortunately, this is in stark contrast to the traditional situation where safety is introduced at the end and/or as an afterthought and is seen by the rest of the business as a ‘blocker’ that delays or dilutes the value of such projects. By helping business leaders think creatively about how financial, security and business strategies align, security teams can help drive the corporate agenda.
Automation to the rescue
However, this level of collaboration with the wider business community can be time-consuming for security teams, who are also trying to maintain appropriate defenses and respond to threats. One way to address this is by optimizing safety operations and using automation so they can spend time on more meaningful tasks without taking their foot off the accelerator.
While each procedure is important, security teams must reassess how they prioritize their time and how to handle mundane, mundane tasks to free up – or “create” capacity. Done well, they can improve security metrics, minimize incident response times and therefore reduce risk exposure, while creating more time to work more closely with business leaders to communicate the importance of their role.
Ultimately, security should be part of the answer and not part of the problem when it comes to overcoming the ‘cost of doing business’. By freeing up resources through automation, security teams can build a more strategic role in the boardroom and forge closer ties with business leaders to proactively address vulnerabilities and unlock a competitive advantage.
We have listed the best Zero Trust Network Access solutions.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro