Amid political headwinds and economic uncertainty, we find ourselves in a challenging time for business. The economy is being impacted by the combination of ongoing high inflation and limited GDP growth. Meanwhile, supply chains are being disrupted by international conflicts (e.g., Ukraine, Gaza and the Houthi insurgency) and the ongoing impact of Brexit. And so, businesses are being pulled in multiple directions due to economic pressures and uncertainty – the two things they hate most. Due to these challenges, it’s safe to say we are living through a ‘cost of doing business’ crisis.
This crisis has seen cybersecurity teams suffer pushback from decision-makers about new investments. With instability resulting in spending decisions being delayed, they are faced with ‘in-real-terms’ or even actual budget cuts for the first time. This is forcing them to be as agile as possible to continue responding to the evolving security landscape because the classic market drivers – the evolving threat landscape, increasing digital transformation, mounting regulatory reform and the ongoing skills shortage – mean that security teams are being asked to deliver more with less. Thus, the knee-jerk response of ‘salami-slicing’ costs, let alone not acting at all, is simply not an option.
To maintain an appropriate level of security, finding a way to continue protecting their company will therefore be an uphill battle. Security leaders must find new ways to demonstrate the value of the investment decisions they seek.
UK product manager, Orange Cyberdefense.
Security as an enterprise risk management topic
Any organization failing to protect its sensitive digital assets from today’s increasingly sophisticated cyber threats stands to pay a high price. According to our recent Security Navigator report, there was a global surge of 46% in cyberattack victims in 2023.
A significant contributor to this is the tendency of businesses to view security merely as a checkbox on their compliance list rather than addressing it as part of a broader (and consistent) enterprise risk management strategy. This implies a lack of communication, with the C-suite not fully understanding the way that security delivers value across their organization.
However, cyber resilience should start in the boardroom, with organizations aligning cybersecurity closely with their business objectives. Achieving this requires enhanced collaboration between CISOs, security and the wider leadership team to foster a deeper understanding of internal security needs and how they can support business goals by defending their most important assets and maintaining ‘business as usual’ in the face of attacks.
Executive meetings should therefore regularly address security as an enterprise risk management topic, emphasizing the significance of partnerships and collaboration between the board and security teams. They can do this by making sure that they understand the risk management strategy of their business leaders, working to quantify the security risk that they face and presenting security decisions in terms that help the board to map this security risk posture against their risk appetite. This will allow security experts to advise on how budgets could be allocated most strategically and facilitate open discussions about the inherent risk versus cost challenges posed by potential cyber incidents.
Always relate to the business strategy
Our research also found that the past year saw large enterprises account for 40% of security incidents. With more stakeholders, these organizations often suffer by trying to take multiple perspectives onboard, which can make business and security alignment more challenging. Security leaders must focus their activity and investments towards the most critical risks that are most contextually relevant. Otherwise, they risk ‘boiling the ocean’ – diminishing the impact of their spending power by diluting focus.
A lack of business focus on the security strategy can lead to organizations missing out on the adoption of new tools and technologies that could provide a competitive advantage. For example, at our annual Summit in November, an informal discussion between partners and customers found that only around a quarter of security leaders in attendance had ChatGPT enabled for staff, with the remaining citing it was blocked for security reasons. However, businesses that can find a way for security teams to enable such technologies safely will reap the rewards and put themselves ahead of their competitors.
To overcome this issue, security teams must learn how to ‘do business with the business.’ This means understanding what the wider business is struggling with and, crucially, being able to explain how they can support it. To achieve this, it is critical to make new tools ‘secure by design,’ as solutions that both enhance security while preserving usability can help to hone a competitive edge. However, this hinges on security teams being involved in new projects from the start so they can demonstrate their value for business initiatives.
Unfortunately, this stands in contrast to the traditional situation whereby security is brought in at the end and/or as an afterthought, perceived by the rest of the business as a ‘blocker’ that slows down or dilutes the value of such projects. By helping business leaders think creatively about how finance, security and business strategies align, security teams can help drive the business agenda.
Automation to the rescue
However, this level of collaboration with the broader business can be time-intensive for security teams, who are also trying to maintain appropriate defenses and respond to threats. One way of tackling this is by optimizing security operations and using automation so they can spend time on more meaningful tasks, without taking their foot off the gas.
Whilst every procedure holds importance, security teams need to reassess how they prioritize their time and how mundane, everyday tasks can be dealt with to free up – or ‘create’ – capacity. If this is done right they can improve security metrics, minimize incident response times and therefore reduce exposure to risk, while at the same time creating more time to work closer with business leaders to drive home the importance of their role.
Ultimately, security should be part of the answer not part of the problem when it comes to overcoming the ‘cost of doing business.’ By freeing up resources with the help of automation, security teams can build a more strategic role in the boardroom, and forge closer ties with business leaders to proactively address vulnerabilities and unlock a competitive advantage.
We’ve listed the best Zero Trust Network Access solutions.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro