Finding the Best Cyber Security Initiatives for Your Organisation

Thumbnail for article

Cyber Security is a world full of compromises.

You rarely have enough resources to implement a gold standard. Even if you did have unlimited resources, I’ve found departments have an optimum capital deployment rate, dependent on stakeholder engagement and the organisation's metabolism. If you try implementing change quicker than the environment allows, you quickly hit a diminishing returns curve where each pound deployed has a reduced effect on your end goal of risk reduction.

Because of these factors, we must be strategic when picking new security initiatives.

We need to make sure we get the best bang for our buck!

The topic of which initiatives yield the best return on investment (ROI) could easily fill a book. However, at a high level, and a minimum, I believe all initiatives should confidently sit in the middle of this Venn diagram:

Cyber ROI Model
  • Threat Landscape: What are the real threats affecting your industry? All investment decisions must be intelligence-led, based on the challenges you’re likely to face.
  • Organisation’s Security Posture: An honest appreciation of your control effectiveness against your threat landscape. Use industry frameworks like NIST, leverage external benchmarks, and continuously validate your assumptions. You need to identify what security controls are lacking or ineffective against today’s threats.
  • Organisation’s Mission Statement: Why does your organisation exist? I would argue that if you don’t know how your organisation makes a pound, you don’t know how to secure it! Executives balance Risk against Revenue generation and Operational Cost. Your job is to enable that!

Remember: Nearly 90% of all cyber-attacks are not the result of elite hackers, but opportunistic cybercrime gangs taking advantage of failures in an organisation's patching, configuration, or authentication posture. Your initiatives don’t need to be fancy; they need to make a difference.

If your initiative only ticks the Threat Landscape box, it’s likely great for storytelling but has no real relevance to the organisation. If it only bolsters the Security Posture without considering the organisation's needs or the real threats, it’s likely a passion project that won’t move any meaningful needles. Finally, if it only ticks the Mission Statement box, you’re likely a ‘yes person’ avoiding those difficult risk and control conversations with your board.

A simple example for illustrative purposes: Network Segregation

If my initiative was to propose network segregation for critical services and the business doesn’t understand the ask, you will get a lot of pushback. From their perspective, you’re asking to invest resources to make the user experience more complicated. Why should they use a jump box and 2-factor authentication to access internal services when today’s solution has always worked?

It’s a fair question, and to gain their buy-in, we need them to:

  • Understand why we’re asking for the change.
  • Appreciate that the ask is proportional.
  • Care about the outcome we’re trying to achieve.

This same model allows us to explain how the risk to the organisation mission has materially changed.

A new criminal is actively taking advantage of network architectures which resemble ours to compromise Banking Services. We’ve seen this with the Bank of Bangladesh, where $88 million was stolen because the network architecture lacked the layers of control needed to protect a system of that criticality. We believe the proportional mitigation controls are X, Y, & Z.

Your initiative is much easier to justify when it meets the model's test.

model diagram

 

There will be some outliers to this rule such as projects which focus on providing opex or capex efficiencies. However, as a litmus test for all new initiatives, I’ve found it invaluable when all 3 align. Plus, as demonstrated it’s a great model for Cyber and other stakeholders to talk through why different initiatives will impact the organisation positively.

Beyond the model, think about how you could further enhance the overall deliverables by factoring in the Pareto Principle, and most importantly, the human factor.

Simples.

 

 

 

FAQs Based on the article

Q: How can an organisation effectively address the challenges that arise during the implementation of these cyber security initiatives, especially in environments resistant to change or with limited technical expertise?

A: Addressing implementation challenges requires a multifaceted approach. Firstly, education and awareness are key. Providing training and clear communication about the importance and benefits of the initiatives can help alleviate resistance. For those with limited technical expertise, it’s crucial to simplify the concepts and relate them to everyday impacts. Additionally, involving all levels of staff in the planning and implementation process can foster a sense of ownership and ease the transition. It’s also beneficial to start with small, manageable changes to build confidence and demonstrate value before scaling up.

Q: What specific metrics or methods can be used to measure the return on investment (ROI) and overall effectiveness of different cyber security initiatives, ensuring that they are not just cost-effective but also truly enhance security?

A: Measuring ROI in cyber security can be challenging, but it's not impossible. Key metrics include the reduction in the number of security incidents, the response time to incidents, and the cost savings from avoiding potential breaches. Additionally, benchmarking against industry standards can provide a comparative measure of effectiveness. Regular security audits and penetration testing can also offer insights into the robustness of your security posture. It's important to balance quantitative metrics, like cost savings, with qualitative ones, like improved employee security awareness.

Q: How should an organisation adapt its cyber security strategy to rapidly evolving and emerging threats, especially when facing sophisticated cyber-attacks that might not be covered by traditional security measures and frameworks?

A: To adapt to evolving threats, organisations need to adopt a proactive and dynamic approach to cyber security. This involves staying informed about the latest threats and trends, which can be achieved through intelligence sharing platforms and industry collaborations. Regularly updating and testing your security infrastructure is crucial. Incorporating advanced technologies like AI and machine learning can help in identifying and responding to new threats more quickly. Finally, it’s important to have a flexible incident response plan that can be adapted to different types of cyber threats.