Commencing with strategy and scope,
Security assessment will bring hope.
With impact and projections calculated,
Justification to the board will be validated.
Have you struggled to articulate the Return on Investment (ROI) in cyber security to the board? If so, you’re not alone! If you think GDPR is enough of a justification, think again! This 4-part article is pivotal in helping you justify security investment to protect your organisation in 2019. I will suggest how you can make your case for the investment you need, as well as the key factors the board will be looking for in your case. Remember, it’s crucial for security leaders to not only show the business value of security, but to express it in an articulate and compelling manner. I have planned for the entirety of this 4-part article to be published when the new year commences, so you will be ready to rock-and-roll with the board from day 1 of 2019.
Those working closely with cyber security know there is no organisation that is 100% secure. If you have not yet suffered a security breach, data leak, malware, Denial of Service attack, or other security issue, then congratulations! But this may actually adversely impact your chances of justifying an investment. It must be understood that continued investment is necessary.
We face a constant battle in today’s mobile-connected world. There is an ever-increasing threat landscape. Data breaches continue to hit headlines and GDPR has piled on the pressure for us to get security right. Considering this, shouldn’t the board be throwing money into security investment? Perhaps. But considering the delicate economic climate, cut-backs are being made and adequate security spend remains a challenge.
In an ideal world, security spend should be in line with the cost of a security breach and the resulting activities including response, recovery and business continuity. But if you’re like most businesses, you won’t have a large security team available; external security experts will be required. According to IBM, the average cost of a data breach is $3.86 million, with an average value of $148 per record.
Step 1: Assess & Prioritise Risks
To justify the investment in security, you must assess and prioritise your organisation’s risks.
Risks cannot be completely eliminated, only mitigated. Security professionals will need to determine the risks adequately addressed by current controls, the remaining security gaps, whether risks are sufficiently prioritised, and the level of remaining risk exposure.
This is accomplished via risk assessment. The process may appear to be complex, but keeping it simple is key. It involves identifying the assets, vulnerabilities, threats, risk scenarios, their likelihood of occurring, and potential impact. This information will help to quantify potential risks to the board. By accurately assessing risks for your organisation, you will be able to prepare a roadmap for eliminating the critical security gaps and build a coherent argument for security investment.
The process of a risk assessment involves security professionals carrying out the following stages:
- Scope: The scope of the assessment, network/infrastructure layout, and assets are determined. This is achieved by holding high-level risk workshops, questionnaires, and interviews stakeholders.
It is worth noting that your organisation’s assets are wide-ranging. The assets can cover people, the premises, and the information they’re responsible for handling. Understanding which of these assets are critical to your organisation’s existence and operation should be the starting point at this stage.
- Assessment: A risk workshop will help to identify and prioritise business risks, system vulnerabilities, threats, business impact and likelihood of occurrence. Security controls will then be identified, assessed, and followed by recommendations.
Tools such as intrusion detection systems, malware scanners and log analysers can help determine where security issues currently exist within the organisation. Firewall logs can identify internal and external data flow. Having this information available can be very useful as supporting evidence for security investment decisions.
- Presentation to the board: The information from Part 1 to Part 4 is presented to the board, typically in the form of a report and a presentation. In the meantime, there are still some crucial steps to advise you on!
While a risk assessment is essential, it can only provide a snapshot of risks at a particular point in time. Therefore, a risk assessment should be a continuous activity, conducted at least once every two years.
For step 2 and beyond, the information will be published shortly.