business decisions mean that the IT
security budget, as well as personnel,
will be rapidly allocated to fix the closest
security gap, while previously scheduled
tasks and deployments get delayed and
piled up for later.
Unfortunately, as a result of this, the
actual spending on security in these
organisations may increase dramatically
as whenever something unexpected
happens, the organisation will need
to solve it as quickly as possible, no
matter the cost.
At the same time, larger organisations
with a more mature approach to
risk management may end up with a
smaller proportion of money spent on
information security.
A risk-based approach
It’s not surprising that in 2019, risk
management expertise was cited
as among the top three skills for
64
The most typical
approach to security
budgeting is often
based on today’s
instant needs or on
previous experience.
information security chiefs. In mature
enterprises, risk assessment is at the
core of business processes. IT security
is no different.
More mature organisations do not try to
fix as many gaps as possible. First, they
look at critical business risks – whether
it’s downtime, service availability, a
destroyed reputation, lost business
opportunities or all kinds of direct
monetary losses. For the businesses
with this mindset, cybersecurity isn’t a
habit or a ‘necessary evil’ investment
instigated by scary headlines. It’s
reasonable and it’s based on risk
calculation (meaning the probability of
an incident multiplied by its cost).
Cyberthreats make no exceptions but
even so, each organisation will likely
face specific types of cybersecurity
risks. For an e-commerce firm with most
of its business in digital, there’s a good
chance that DDoS attacks on its web
resources would cause massive damage,
both monetary and reputational.
Meanwhile, financial and government
organisations will face significant
penalties and fines from regulators
should their systems get breached in an
advanced cyberattack, so their budgets
should focus here. Additionally, software
developers and service providers can
even be a target themselves, or a step
in a supply chain attack against their
customers. In other words, there are
Issue 21
|
www.intelligentciso.com