How Much is Enough? A Different Cybersecurity Risk Management Approach

Historically, the fear of cyberthreats put organizations and their IT departments on the defense. So much so they still strive to design security plans that try to protect every part of their infrastructure — data centers, assets, networks — everything.

Due to the sheer number of systems to protect and the increasing cyberthreat landscape, the “more is better” model, although logical at the beginning of the cybersecurity battle, is simply not sustainable now.

Today’s IT environments are a chaotic mess of technology sprawl. Even the most organized IT departments consist of legacy systems or systems acquired through acquisitions plus there’s an abundance of point solutions. And let’s not forget the never-ending additions to the Internet of Things (IoT).

Unless you have a huge cybersecurity budget and unlimited resources to manage all the applications, keeping up with the continual and accelerating change in the technology environment won’t work.

CISOs recognize they must take a more targeted approach to plan their cybersecurity budget. Therefore, they’re wisely moving to a “risk optimization” process to make cybersecurity investments that are guided by business outcomes.

Cyber risk optimization is understanding threats, priorities, and business investments to design a cyber strategy that takes on the correct amount of risk. Aligning the cyberthreat conversation with business objectives allows for the strategic funding of cybersecurity.

With this approach, your organization can create a proactive cybersecurity and risk optimization program that helps answer the question: What is the right amount of cybersecurity to mitigate the priority risks?

Three reasons your organization needs to shift perspectives and embrace risk optimization practices

1.    Companies can no longer afford to default to the “more is better” cybersecurity model.

The rapid rise of the cyberthreat landscape combined with limited resources has fueled the need to rethink cybersecurity programs.

Research firm Gartner Inc. estimates that cybersecurity spending in 2021 totaled about $150 billion, up more than 12% from 2020. Yet, despite the higher investments in cybersecurity, cyber attacks keep coming.

Companies need to pivot and learn how to maximize cybersecurity spending in a barrage of costly cyberattacks. If you’re curious about just how expensive, read the 15 Biggest Cybersecurity Attacks in 2021 and find out.

The actual costs are measurable. The cost to a company’s reputation is priceless. Cybersecurity does need to be a top priority everywhere. So, how does a company manage the never-ending cybersecurity threats?

Large organizations solve it with security operations centers (SOC) that monitor for threats 24×7, and they also have large security budgets. Most organizations need a SOC but think they can’t afford one, yet using a risk optimization approach, they can learn how to build a SOC with limited resources.

If the “protect everything” approach will become too costly, how exactly do you decide what to protect? How do you determine how much cybersecurity is enough?

2.    Cybersecurity priorities and investments should be aligned to business goals.

The days of relying solely on security and IT teams for cybersecurity decisions are thankfully gone. After all, business stakeholders know their business’s privacy, data protection, and regulatory risks better than anyone and should be invested in the cyberthreat conversation.

CISOs understanding each leader’s top security concerns, key business objectives, critical business areas, and the systems and networks that support those areas informs the cyber program. This knowledge connects security initiatives with business outcomes and ensures a cyber posture that manages the biggest threats to the organization.

Discussing business outcomes instead of security tactics helps CISOs align with stakeholders on business goals. The outcome discussion assists in fine-tuning the program to figure out the right amount of cybersecurity.

The cyberthreat game board is changing all the time. CISOs are working hard at keeping up with priorities. If you want to hear more about how CISOs align with business goals, this ebook provides key insights on achieving success as a CISO today from industry leaders.

3.    The cybersecurity conversation becomes more credible and defensible.

Once organizational priorities drive the cybersecurity decisions and IT risk mitigations are rolled into those decisions but not the primary driver, the cyber conversation takes a more executive-level role.

In other words, once a risk optimization approach is taken, security leaders are given a seat at the table. Allowing them to educate and inform their colleagues, shifting the organizational mindset to cybersecurity as a business solution.

CISOs talking about spending prioritizations and budget decisions based on an understanding of cyber risk related to the organization’s priorities — that’s a conversation the CEO wants to have. That’s a conversation that CISOs need to be ready to have.

According to Karen Holmes, VP and CISO at True Blue Inc. “CISOs are much more customer-facing than they have ever been in the past. I’ve had meetings with CEOs of other companies, too, where they want to understand more about our security posture before they engage with us.” [1]

In fact, with security priorities becoming interdependent on business priorities, there’s a solid argument that cybersecurity leaders should report to the CEO to gain the organizational influence required to do the job.

Gartner has a proven method for implementing the cybersecurity risk management process

Gartner has a proven model to help your organization implement a better cybersecurity framework. They call it the risk, value, cost (RVC) model.

The RVC model is roadmap that companies can follow to implement a risk optimization methodology. RVC measures business units by their value to address known risks, include cost considerations, and create comparative analysis that supports priority and investment decisions in a business context.

The RVC process helps you determine cybersecurity investments that are balanced between cyber protection and running the business.

Do you want to learn more about implementing a balanced risk approach to your cybersecurity program and budget? Download this Gartner report — Optimize Risk, Value, and Cost in Cybersecurity and Technology Risk — and learn how to implement a cybersecurity program that balances the right amount of risk with business outcomes.

Gartner is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner, Optimize Risk, Value and Cost in Cybersecurity and Technology Risk, Paul Proctor, Refreshed 2 August 2021, Published 12 February 2020

[1] The Modern and Evolving Security Leader;