CISOs face the constant challenge of working to a budget against the backdrop of an ever-growing cyberthreat landscape. It can be difficult to know where to prioritise investment. Intelligent CISO hears from two industry experts about best practice for security teams – including those at SMEs – and examines a practical tool offered by one vendor to help make the big decisions.
With IT budgets under pressure to transform and improve multiple areas of an organisation and business leaders needing to demonstrate return on every investment, the onus has long been on IT security to prove its worth.
But proving ROI has traditionally been a struggle for IT professionals, who need to balance budget limitations while staying ahead of the dynamic threat landscape. To help businesses measure their IT security spend against that of similar organisations, Kaspersky Lab has updated its Kaspersky IT Security Calculator.
The calculator, which is based on research into cybersecurity investment within a cross-section of different-sized businesses in a range of sectors and regions, enables IT security professionals to benchmark their cybersecurity strategy against others in similar circumstances to them.
Based on data from 6,687 business respondents worldwide, the calculator allows users to input information about their business size, region, industry and IT security spend.
It then tells them how they measure up compared to industry averages – providing transparency into the security measures taken by other similar businesses, the major threat vectors they encounter, how much money they have lost as a result and what can be done to avoid being compromised in this way.
Maxim Frolov, VP of Global Sales, Kaspersky Lab, said: “We hope that this tool will bring IT professionals the insight they need, to get their required investment and to protect their businesses from the latest and most damaging threats.”
How can CISOs plan their security strategies on a budget?
Alain Penel, Regional Vice President – Middle East, Fortinet
Serving as CISO for an enterprise isn’t an easy undertaking. The following are eight recommendations that can help lay the groundwork for a long and successful tenure on a budget:
- Map the attack surface
Digital transformation includes technology trends such as cloud adoption, the Internet of Things (IoT) and mobile user connectivity that have erased the traditional network perimeter, exposing enterprise environments to unanticipated risks. Given these trends, developing a comprehensive understanding of your attack surface is a critical starting point for every new CISO.
- Understand compliance requirements
Understanding the full range of security standards and mandates that bear on an organisation is nearly as important as knowing its vulnerabilities. CISOs need to get a quick lay of the land when it comes to what needs to be tracked and reported upon. Compliance can be used as a strategic business enabler, or it can become a headwind that thwarts business acceleration.
- Identify the known and unknown
The threat landscape is rapidly evolving and changing in ways that make it impossible to predict and prepare for. Cybercrime is being commoditised with the growth of Ransomware-as-a-Service and Malware-as-a-Service as successful criminal commercial markets. Integrated sandboxing and real-time threat intelligence sharing between each of the security elements is a requisite to defend against advanced threats.
- Understand your organisation’s risk appetite
No two organisations have exactly the same relationship with risk. Gaining an understanding of how much risk and what types of risk your new organisation is willing to accept is a critical. This information will guide your prioritisation of security initiatives and what – and what not to – focus on. In addition to your board of directors and CEO, your line-of-business leaders hold valuable insights on the company’s risk appetite.
- Know your role, build relationships accordingly
Relationships are critical for any executive. CISOs need to start building network connections that encompass everyone from the boardroom, to the executive team, to various members of the network and security teams. Today’s CISO must be not only fully conversant in cybertechnologies and threats but also speak the language of the business.
- Structure the team, bring in reinforcements
All of the above factors will inform how you structure your existing team, and what skills you will look for with any new hires. Unfortunately, attracting and retaining talent is expected to be an increasing challenge going forward. CISOs must quickly begin developing a talent pool of potential recruits who bring the right skills and thrive in the corporate culture.
- Be strategic about technology investments
Given that the threat landscape, your IT environment and the direction of your business are dynamic, your security architecture must be adaptive. A security fabric approach deploys a common set of layered security tools across the entire on-premises and cloud environment. It provides a single pane of glass from which the company’s security posture at a given moment can be assessed and addressed.
- Track, measure and report results
Objective measurement and communication of your company’s security posture vis-à-vis risk tolerance and business objectives – which includes industry, governmental, and security compliance – is critical to your success. An important starting point for tracking, measuring and reporting results is to align business-security initiatives based on Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).
Best practice for CISOs at SMBs
Hadi Jaafarawi, Managing Director, Qualys Middle East
SMBs falsely assume that they aren’t susceptible to cyberattacks, but in reality, they are more vulnerable and face greater challenges to network security due to smaller budgets, less-sophisticated infrastructure and lack of security personnel. Therefore, it’s crucial for SMBs to be smart about defensive choices and focus on what matters most.
Instead of thinking of the security budget in terms of cost, understanding the risk associated with a potential cyberattack is the first step towards a strong cybersecurity posture. Chief Information Security Officers (CISOs) need to gain an understanding of the types of threats that target their company, the weaknesses that exist within their current infrastructures, identify the vital business assets that entails protection and the level of protection required.
This security assessment provides a comprehensive security baseline that helps CISOs select an easy and comprehensive solution that continuously assesses their security posture, comply and responds to the ever-changing regulations and security threats, as well as helping build a solid and secure IT environment without the hassle and costs of deploying point solutions.
Qualys makes it possible for businesses to strengthen the security of their networks and applications with their continuous security and compliance management solutions. The newly introduced Qualys Community Edition, a free cloud-based service gives small organisations unified visibility of their own or their clients’ IT and web assets.
It also allows users to leverage the power of the Qualys Cloud Platform, which performs billions of scans annually to automatically gather and analyse security and compliance data from hybrid IT environments.
This accurate and immediate visibility helps organisations maintain a higher level of security and provide auditors with trusted compliance reports, while consolidating their stack and drastically reducing costs.
Furthermore, the importance of providing information security awareness training to the employees cannot be understated. A security awareness programme offers employees the knowledge they need to better protect the organisation’s information through proactive, security conscious behavior.
Employees should gain a basic understanding of security policies as well as their respective responsibilities in protecting personal and business assets.
To be effective, CISOs should implement an ongoing security awareness programme that includes continuous training, communication and reinforcement.