All businesses are at risk of a cyber-attack, so we won’t bore you with a lengthy introduction on how around 30% of businesses will be breached in the coming year, how more than 60% are not adequately prepared and average cost per breach etc. But while we know that the question is not whether we should invest—because, of course, we must—the question is how, where and to what extent should we invest? How should (a most likely limited) cyber security budget be allocated? What is the balance of where we focus time and resources?
So often, organisations who come to us for help to manage their cyber risk believe that their cyber strategy should cover every part of their business and account for every single type of cyber threat, and therefore worry that it’s going to come with significant cost. And while a blanket approach might be good for total peace of mind, it’s not good for the bottom line, especially considering—for many organisations—cyber security risk management competes with many other prioritised risks and “can we achieve it cheaper?” is a common phrase.
Digital transformation
So why is there simply not a single silver bullet cyber security solution that doesn’t cost the earth? As a starting point, cyber threats are not simple, they are always evolving and every business faces a different threat profile. More importantly, cyber security is not a mature sector – only 20 years ago, most of our processes were still offline. But now, nearly all aspects of our work rely directly or indirectly on technology—whether that’s an HR application or project management platform or just simple email and data and document storage. However, as organisations have introduced all these things that streamline business outputs, reduce costs and increase efficiencies, we’ve moved swiftly but bypassed some of the consequence management. Only now, when our reliance on technology is total, are we recognising the impact of malicious threat actors and then trying to cobble together our defences retrospectively.
As many organisations tackle the task of ‘digital transformation’—looking at their product delivery utilising modern technology—some cyber security experts take advantage of the delayed scramble for security and present solutions as more difficult and more expensive than they need to be. By using complicated technological language, abstract concepts and scaremongering, some consultancies exploit uncertainty and confusion. Many organisations feel inhibited in making firm decisions about incomprehensible risks out of fear of getting it wrong. So, instead of putting in place only what they need—based on the threat specific to them and their own risk appetite—they often adopt a blanket approach and invest blindly in ‘silver bullet’ cyber security products, without understanding or being able to measure how effective any of it is. They do so in the hope that the problem will then go away. And it invariably doesn’t and is a massive, disruptive and expensive undertaking, particularly if it’s difficult to get hold of budget and resource.
Finding the right balance
The reality is far less complicated, of course. If you understand the type of threats your organisation and your sector face and how that manifests itself within your business, you can better plan the type of defences most effective to counter that threat. Are you just implementing what you’ve seen elsewhere or been told someone else has? You could be investing huge sums of money in a solution that’s over the top for your specific risk or investing the right amount but in the wrong place or conversely, you might not be investing enough on the right things.
That’s why it’s so important to understand how current security measures within your organisation cover the threats that are specific to your business and sector. If you’re the world’s best online retailer, your threats are unlikely to be in the form of a state actor trying to disrupt your production, or a competitor stealing IP, but simply malicious threat actors stealing sensitive customer data. In that case, there is a proportionate (but not zero-sum) balance in how much you spend on protecting IP or production processes against protection of your client data. That’s not to say it shouldn’t be considered, it should be, but understanding your threat profile and working out what the risk is and where it will come from will help you understand where your time, money and resource should be invested to be the most effective.
Your level of cyber maturity
In short, how can you invest in cyber security measures if you don’t know what your organisation is up against? Whether you’re responsible for your organisation’s IT or Security or Risk and Compliance or you are sitting at board level and worried about how to manage the corporate cyber risk, you’re inevitably also thinking about the cost of doing so.
Therefore, organisations must be able to see clearly how strong they currently are and where they need to be, and in what area of vulnerability, based upon the threats that are specific to the organisation and its risk appetite. A Cyber Maturity Model will account for all these things, including external regulatory and governance requirements, to inform what to invest in, where and how much – removing the need for guesswork (and blind investment).
How we can help
PGI’s Information and Cyber security teams use the Cyber Maturity Model across a wide range of sectors and have in-depth experience in supporting national and global organisations to identify and implement pragmatic, cost effective solutions to manage their cyber risk.
Contact us to talk about how we can help.
Insights
Trust & Safety: A look ahead to 2025
Working within the Trust and Safety industry, 2024 has been PGI’s busiest year to date, both in our work with clients and our participation in key conversations, particularly around the future of regulation, the human-AI interface, and child safety.
Lies, damned lies, and AI - Digital Threat Digest
At their core, artificial systems are a series of relationships between intelligence, truth, and decision making.
A pointless digital jigsaw - Digital Threat Digest
Feeding the name of a new criminal to the online OSINT community is like waving a red rag to a bull. There’s an immediate scramble to be the first to find every piece of information out there on the target, and present it back in a nice network graph (bonus points if you’re using your own network graph product and the whole thing is a thinly veiled advert for why your Ghunt code wrap with its purple-backlit-round-edged-dynamic-element CSS is better than everyone else’s).