Cybersecurity should be one of the top priorities for small and medium-sized businesses. But it is not always easy to make sure you have all the right security checks in place when you have a small budget to spend on this area of your business. Two experts offer their advice on how to make sure your business is protected, even when money is tight.
Giuseppe Brizio, EMEA CISO, Qualys:
A PwC report from this year showed Middle East executives to be laser-focused on cybersecurity and the role of the CISO. Some 81% described social engineering campaigns as a ‘very likely threat’ in 2021, and 76% said the same of attacks on cloud services. Many (38%) said that the past year had made them more likely to ‘consider cybersecurity in every business decision’ and 39% of executives now expect the CISO to add varying degrees of innovation, leadership and business value. This is an incredible burden on security leaders, especially since less than half (43%) of those polled, plan to set aside more budget for the cyber challenges ahead.
Protecting businesses from the digital hordes is a daunting prospect under the best of circumstances, but even more so when operating on a shoestring. In the face of the modern threat landscape, businesses are at more risk than they have ever been. When COVID lockdowns drove employees across the region into their homes last year, CISOs’ worries were compounded by third-party co-dependence in networks and a mountain of potential vulnerabilities in the personal devices that joined the corporate environment each day.
Amid this furor, while intrepid threat hunters dealt with alert fatigue, false positives and scant budgets, business stakeholders made further demands. Now, cybersecurity policies and initiatives had to align with business visions, protect revenue streams and support expansions in the core business model.
The first steps
The trek towards optimisation must begin with a comprehensive inventory of assets. Some of these assets (for example, personal machines) will be risk-sources, and others (for example, existing cybersecurity solutions) will be risk-mitigators. Proper, granular assessment, however, will break these assets down further and measure the degree of risk they pose or the extent to which they alleviate risk. For devices, this may require the on-going measurement and categorisation of vulnerabilities; for solutions it may require the evaluation of whether they effectively protect against the most common threats.
It is worth remembering that asset inventory should include policy frameworks and skillsets. Have employees received sufficient anti-phishing training? Do the organisation’s business contracts provide sufficient legal insulation against third-party risks such as those from business partners? And exactly how robust are the enterprise’s Disaster Recovery and business continuity strategies? As we can see, threat postures encompass so much more than technology solutions; and security budgets must allow for these elements – training, culture changes and so on – to ensure that everyone can add value to the security function, regardless of their job title. Monitoring and documentation of progress regarding the security literacy of employees at all levels is a significant part of many compliance obligations. So, budget allocation in these areas should make for a straightforward business case.
But cyber-savvy employees are not enough on their own. The modern digital enterprise cannot survive merely on prevention. Skills acquisition in the field of cybersecurity is notoriously difficult for Middle East enterprises but remains necessary. In the absence of budget for new, skilled employees, upskilling existing IT or security professionals may be the only option. This may even be the preferred approach when considering that existing employees are already familiar with the enterprise and its operations, ambitions and culture. Once the investment has been made, it will also need to be protected. Organisations must make all efforts to retain newly trained security specialists. One obvious approach is the automation of repetitive tasks. Automation is a classic example of an investment that can decrease real costs while increasing the likelihood of innovation by freeing up human capital to become more creative.
Joining the dots
The concepts involved in justifying the existence of a department do not differ across business functions. CISOs must convince line-of-business decision makers that cybersecurity is not a cash sinkhole but a catalyst for innovation. Security leaders will often find themselves being asked to draw lines from their budget decisions to revenue generation. In this regard it helps to talk in terms of risk. If the cost of not implementing a specific change can be explicitly deduced and characterised in units of downtime and damage, then non-technical executives may start to pay attention. The success of this endeavor will, of course, hinge upon building productive relationships with other leaders within the organisation.
As PwC’s projections indicate, many regional cybersecurity budgets may be static for the foreseeable future, despite concerns about the threat landscape. It may be necessary for CISOs to modify their solutions strategy, so they manage a shorter vendor list. The security market has seen many vendors move to single-stop offerings that cover a wide range of prospective incidents. And when dealing with providers, CISOs may wish to negotiate shorter contract terms so renewal evaluations happen quarterly, rather than annually, thereby opening the door to faster change cycles.
Such micro-strategies can help to demonstrate value when it comes time to review the cybersecurity function’s contribution to business health. If the CISO designs useful, easy-to-follow metrics that tie their team’s activity to increases in productivity or revenues, or reductions in costs or complexity, then this will undoubtedly win over line-of-business executives. Through risk-driven analysis and value-driven action, the cybersecurity function can deliver on the lofty expectations imposed upon it and take its place as a vital organ in the enterprise.
Edison Mazibuko, Technical Director – DRS:
The best place to start is to identify your organisation’s assets and more importantly the risks facing it. You need to begin by understanding that businesses do not necessarily require every cybersecurity control available; a better approach is to pinpoint the specifics that best suit your organisation. This can be achieved by conducting a security assessment based on cybersecurity frameworks. These risk-based frameworks do a great job of mapping your controls against industry best practise.
Below is an example of the important information that should emanate from such assessments:
• The identification of potential threat exposure to critical assets and information
• The highlighting of problems or shortfalls in the organisation’s implementation of the Risk Management Framework
• The recognition of security related weaknesses and deficiencies in the information system and in the environment in which the system operates
• The prioritisation of risk mitigation decisions and associated activities
• Confirmation that identified security related weaknesses and deficiencies in the information system and in the environment of operation have been addressed
• Support of monitoring activities and information security awareness
Frameworks can also assist organisations to answer fundamental questions, such as ‘How are we doing?’ This is where the role of continuous monitoring and reporting comes to the fore. Once you have the necessary controls in place, you can avoid the trap of trying to do it all in-house in the ever-changing world of cybersecurity. Managed security service providers (MSSPs) provide organisations with the people, processes and technology necessary to secure their critical assets and data. Leveraging managed services enables organisations to reduce the pressure on trying to fight for scarce cybersecurity skills and keeping up-to-date with the latest attacker techniques. Moreover, it provides peace of mind, as businesses have access to state-of-the-art security and highly skilled specialists with the ability to focus on running their businesses while specialist cybersecurity experts keep it safe.
Once you have a clear picture of what is important and how it needs to be protected, making other budget influencing decisions such as Security-as-a-Service (SaaS) versus in-house; best-of-breed versus consolidation; cloud versus on-premises etc., becomes much easier.