To define your cybersecurity budget, ask yourself what you are trying to protect, why you…
Key Webinar Takeaways from our Live Cybersecurity Panel Discussion
If you didn’t have the chance to attend our recent live webinar IT Pros Security Challenges: What Decision Makers Want to Hear (or you did attend but would like a recap), we’ve put together a couple of key takeaways.
The goal of our cybersecurity panel discussion was to bring together security executives from different industries and backgrounds to chat about common challenges for IT professionals. And because speaking the same language as decisionmakers is essential, our executives shared great tips for building a solid cybersecurity pitch to the Board of Directors and the executive management team.
We talked about how IT pros can build their cybersecurity strategy, why it’s important to align security and business objectives and how to get executive buy-in for cybersecurity projects.
The discussion was quite eye-opening (and entertaining!), to say the least, and has revealed some useful security insights from an executive perspective.
1. What were the “security game changers” in 2018 that have impacted cybersecurity strategy?
In the security space, we tend to get lost in the weeds by focusing on the latest big hack, breach, malware, DDoS, etc. In 2018, there were a couple of “game changers” that our executive team talked about that made them reassess their security strategy and priorities.
- Media Buzz: More and more media outlets are covering cybersecurity on a regular basis, which means that cybersecurity awareness is usually pretty high among executives. Equifax, NotPetya and WannaCry have been major security incidents in 2018. What’s unfortunate is that cybersecurity has become such a hype that actual cybersecurity strategy and risk management falls behind. We need to make sure that cybersecurity is more than just a buzzword and emphasize that it has a real and measurable business impact.
- GDPR: Even before the General Data Protection Regulation (GDPR) came into effect in May 2018, GDPR had become a huge wave across Europe, North America and beyond. Unfortunately, there’s still lots of confusion out there about what GDPR compliance actually means, who it applies to and whether or not your company should comply. The approach to GDPR compliance is very complex, and there’s been a lot of false buzz. From a data protection perspective, it certainly raised awareness on the executive level for the need to comply, but confusion must be addressed.
- Cybersecurity Posture: Throughout all previous security incidents and breaches, one central message should be that organizations need to define and improve their cybersecurity posture, one step at a time. There is no quick fix for cybersecurity because organizations often deal with security incidents in a panic mode. It is critical to define and evaluate your own cybersecurity maturity. Most organizations don’t fully understand where they’re at in terms of their cybersecurity maturity, and need to make a cybersecurity posture evaluation exercise a regular part of the cost of doing business.
- Cloud Security: Cloud solutions are on the rise. A big discussion in 2018 has been about whether cloud services are more (or less) secure than hosted, non-cloud services. As business hop on the bandwagon of moving their systems and infrastructure to the cloud, they need to be conscious about the security implications of their cloud strategy. Overall, securing the cloud and IoT space is definitely a challenge that affects all types of industries and applications (corporate networks, control systems, sensors, etc.).
2. What are the main challenges that IT professionals are struggling with?
- Supporting Operations: For one, IT professionals need to provide internal support to their organization to ensure that systems and applications are available with limited downtime, are updated regularly and enable the business to run smooth operations.
- Meeting SLAs: For us at Hitachi Systems Security, our IT department also plays a key role in helping us meet client requirements and Service Level Agreements (SLAs). As part of our managed security service offering, we are responsible for monitoring our clients’ networks on a 24/7 basis. A maximum of operational uptime is therefore essential for us to deliver our service to our clients’ expectations.
- Dealing with Transformation: Overall, the field of IT is going through a massive transformation, and IT professionals are finding themselves confronted with a huge skills crisis.
- Qualified IT resources are scarce, and it will become more and more challenging to train and retain IT resources.
- There is more and more data to process (often tens of thousands of EPS), which causes a strain on organizations to decipher and analyze these large data amounts.
- IT is becoming increasingly consumerized, and users are beginning to have much greater control about how they work with IT devices (mobile apps, BYOD).
- Moving to new technologies or engaging with new third-party providers requires a lot of work – not only to implement technology but also to maintain it. That’s why it’s crucial to understand the post-implementation impact to optimize your IT departments.
- The DevSecOps Challenge: Lastly, we see a considerable misalignment between IT and security departments when it comes to defining an effective cybersecurity budget. While security budgets are expected to increase overall, a recent study has demonstrated that organizations are still struggling with the disconnect between DevOps and security. The notion of a collaborative “DevSecOps” function seems to be utopian at best, as a whopping 91 percent of organizations think that R&D teams introduce risk to the corporate environment.
3. What are some of the common mistakes that IT professionals are making?
When it comes to implementing effective cybersecurity strategies, here are some of the common mistakes that we see amongst IT professionals:
- No Strategic Alignment. If your cybersecurity strategy is not aligned with your overall business strategy, it will likely fail. Make sure to understand (and demonstrate) how your cybersecurity spending will help your business reach its goals and strengthen its cybersecurity posture along the way.
- Not Enough Proactivity. During the day-to-day craziness of running their operations, IT professionals tend to be reactive to security challenges. Instead, what is needed is a more proactive approach – one that anticipates security challenges and helps them plan their cybersecurity projects in accordance with their business strategy and risk tolerance.
- No Measurable ROI: If IT professionals want to get executive buy-in, they need to be able to measure how effective their cybersecurity projects are. Implementing security controls is certainly important but measuring control performance is critical to securing continuous support for your cybersecurity strategy. If you can’t measure your cybersecurity performance, you can’t improve it.
4. How can IT professionals convince their Board of Directors/ management team to invest in cybersecurity?
Related Post: How to Pitch Cybersecurity to the Board
Often, IT professionals struggle with pitching their cybersecurity strategy to decisionmakers because they don’t speak the same language.
Regardless of your organization’s industry or business context, IT pros should be ready to address these 2 elements to get cybersecurity buy-in:
- You must assign a dollar value to your cybersecurity investment. Shift your approach to an actual business impact and don’t forget to monetize your security pitch!
- You must be able to demonstrate which security controls will support your business strategy. Your security strategy must be linked to your business objectives and act as a strategic business enabler, not an IT cost center.
Key questions you should ask yourself:
- How will your cybersecurity strategy drive your overall business goals?
- How will your cybersecurity strategy support operations?
- How will your cybersecurity strategy defend your critical assets?
- How will your cybersecurity strategy help you comply with applicable laws and regulations?
- How will your cybersecurity strategy be driving the required behavior in your organization?
IT professionals need to demonstrate that their cybersecurity strategy aligns with the overall business goals and delivers measurable return on investment (ROI).
Still curious about learning more? Or simply interested in how our executive panel discussion went down? We’re telling you, it was quite entertaining!
Watch our webinar recording by clicking down below.