3 Factors (Besides Budget) That Promote Cyber Security Success
Here’s something we can all be thankful for this holiday season: Larger cyber security budgets are reportedly on their way! In a recent FireEye study, 76% of participants said they expect their security budgets to increase in 2020. That’s obviously encouraging for those fighting the good fight and bad news for those on the other side of the digital battlefield. Still, despite the extra funds, security pros can’t afford to let their guards down because cyber security success isn’t defined by the size of an organization’s budget.
That’s not to diminish the importance of cyber security spend. As part of its research paper The Security Bottom Line: How Much Security Is Enough?, Cisco analyzed how security postures differed between those with more to spend and those with less to spend. The technology leader found 27% of companies with annual cyber security budgets of $1 million or more felt they were able to afford their minimum security needs. That figure – 27% – isn’t wholly impressive in and of itself. Drop into the $250,000 to $999,999 budget range and suddenly just 9% of participants were willing to make similar claims.
Yet, the consensus across all budgetary ranges is that organizations, no matter what they’re spending, believe they still have a ways to go on their security journeys. According to Cisco:
- 94% of those spending $1 million or more on security each year believe their programs and initiatives still have room to grow
- 95% of those spending $250,000 to $999,999 said the same
- 92% of those spending less than $250,000 said they want to do more
It seems budgets don’t tell the entire cyber security story. In its report, Cisco highlighted three other areas organizations must focus on to succeed against today’s advanced persistent threats.
Cyber security expertise is somewhat rare these days. In its report, Cisco cites research from (ISC)2 which found a global security skills shortage of around 3 million. Rarer still is having that expertise in-house. Cisco’s own research states that just 37% of surveyed organizations say they rely on their internal staff most for cyber security expertise.
Bringing these kinds of skills in-house can be expensive – going back to budget again. Plus, sharing knowledge with other organizations in similar situations is an effective way to stay ahead of the bad guys. The issue is, without the in-house talent to interpret and adapt it, that peer-to-peer insight can be too general, too removed from an organization’s individual needs to be truly effective.
It makes sense for organizations coming up short on security talent to work with a managed services provider. Any provider worth its salt will dedicate ample time early on to learning the ins and outs of an organization’s environment. This achieves a best-of-both worlds approach, mixing reliable insider knowledge with affordability and flexibility.
Having expertise is one thing. Having the ability to act on it is something totally different which is where capability fits in. Some projects may be too onerous – either in terms of cost or complexity or some other factor – for those tasked with promoting security to undertake. Still others may fall outside of that particular department’s jurisdiction. Whatever the case may be, IT and security teams often know what needs to be done but are unable to execute.
Cisco explained the issue of capability as one of cyber security maturity. First tier organizations have a clear understanding of their IT asset library. They know what they have and they know what it’s doing. The next step up are organizations where security has control over initiating and preventing changes to those assets. Above that are organizations who, for a lack of a better phrase, get it. They understand which resources criminals are most likely to target, how they’re likely to be targeted and how to repel those attacks. Lastly, the most mature (and capable) organizations are those effectively deploying and leveraging security tools to defend themselves organization-wide.
Maturity is dependent upon a strong cohesion among internal teams. Security needs to work in lock step with operations and finance and every other department to fully understand the scope of what they have, what they’re facing, and how to stay safe. Once again, sometimes bringing in an outside, independent voice is the best way to foster that level of internal collaboration.
The final area Cisco underscores as a pathway to better cyber security is influence. A couple of different points are called out in this section of the report. First, influence can refer to an organization’s ability to hold vendors to its own cyber security standards. It can also mean having the clout necessary to learn about potential cyber security risks from vendors before they become common knowledge. Trouble is, modern IT environments tend to be a patchwork of solutions and providers, lessening most organizations’ ability to exert much influence.
Cisco’s researchers found 38% of organizations that spend $1 million or more each year on security said they were always able to dictate security-related conditions to vendors/partners. Just 17% of organizations that spend less than $250,000 annually on security were in the same boat. Meanwhile, 86% of organizations with 10,000+ employees said they learned about security vulnerabilities and incidents affecting them from vendors before they were public knowledge. Compare that to just 60% of organizations with fewer than 1,000 employees who said the same.
It’s clear from Cisco’s findings that influence is often reserved for those with enterprise-sized budgets or employee rolls – or both. This doesn’t have to be the case. Organizations just need to find a partner with the experience and connections necessary to serve as a bridge between them and security-first, industry-leading vendors.
Next Steps: Maximize security without maximizing budgets
Strong cyber security isn’t just about having the highest budget. It’s a combination of multiple factors, including spending on the right resources, building connections to industry-leaders, and having access to a team who understands security as well as what makes your business unique. Arraya’s Cyber Security Team takes pride in being able to deliver on those goals for our customers. We provide the people, processes, and solutions needed to navigate today’s threat landscape. Start a conversation with our team now by visiting: https://www.arrayasolutions.com/contact-us/.
We want to hear from you! Leave us a comment on this or any of our blog posts through social media. Look for us on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique technology learning opportunities.