De-risking the business - how to evolve your approach to security

Person using digital device with security padlock icon hovering about it
Image Credit: Shutterstock (Image credit: Shutterstock)

According to Plato’s book Republic, necessity is the mother of all invention. When we need something, then we have the impetus to make it happen. For cybersecurity teams, the need at the moment is around how best to work with the business.

Gartner estimates that global spending on security and risk management will be $215 billion in 2024, an increase of 14.3 percent over the previous year. However, while that overall spending figure is still growing, budgets have to cover far more potential threats, keep up with the growth in attack surfaces, and support more IT systems that enterprises have added to their stacks. One example - in our research, the number of software vulnerabilities that were weaponized by threat actors grew to 152 in 2023. This is more than the previous three years combined, yet spending has not grown at the same rate.

Secondly, the wider business environment is changing. Business leaders today are focused on profitability rather than growth, due to the generational change in interest rates. When money was cheap, investing for growth and market share made sense; today, profitability and cost control are more important. The impact from this? Organizations are trimming any fat out of their operational costs, and that includes spending on security. While they won’t cut spend, the rate of growth will be much lower over time.

So, how can CISOs make the best case for support to the business around security, and defend budgets against cuts? How can you ensure that boards and CEOs know that what you deliver is both essential to the business and effective use of budget? To achieve this, the focus has to be on business risk.

Does this sound obvious? Isn’t that why we spend this budget on security, to protect the business? The challenge here is that what you think of as risk may not be the same as the board. In my work with CISOs, it is easy for security teams to treat IT risk and business risk as the same, and that is not the case. Rather than looking at the technology side, we now have to look into the business impact that risks can have and explain how IT security threats measure up against those criteria. We need a new approach that focuses on what matters most to the business around risk, and ensures that IT security issues are positioned within that framework, rather than trying to get business leaders to understand technology details.

Rich Seiersen

Chief Risk Technology Officer at Qualys.

Making changes

In order to achieve our goals in future, we have to look at our purpose in the business as a whole. The modern goal for CISOs and IT security teams should be to de-risk the business so that it can perform effectively in the market. While defeating our ‘digital adversaries’ and stopping threats are both crucially important tactics, they are not the main objective that we should be pursuing. Instead, they are meta-outcomes that are delivered when we meet that overall goal - enabling the business to win.

If we lose sight of that business goal, or keep on thinking of our position as solely about technology, we stop producing value the business recognizes and supports. That value is the elimination of risk that blocks the organization from succeeding in its mission or purpose.

To achieve this in practice, we have to look at how to build on our operational security processes and how they interact with each other. The first stage is how to measure cybersecurity risk across every attack surface. This is something that all IT security teams should be currently doing, but the results can often be incomplete or fragmented. Bringing all this data together in one location makes it easier to understand what activity is taking place across the team.

This exercise can flag potential areas where you can improve your approach to asset management and measuring security effectiveness. However, the biggest return on this is getting a single view of all your programs and how they ensure that your attack surfaces are being protected. This can then be translated into metrics that the business team can understand, based on integrating and quantifying asset values, threat intelligence data, vulnerability status, and potential business impact, then providing monetary values for those impacts.

Using this data, you can communicate cybersecurity risk to the business based on value. How much does an attack represent a realistic risk, and what would the resulting impact be in monetary terms? Getting this data for IT has been hard in the past, but going through that consolidation exercise around asset data makes it much easier to create those metrics and then answer business questions around security and potential risk. For example, what combinations of assets, threats, and vulnerabilities are most likely to disrupt services? More importantly, how would this translate to frustrated customers and churn, regulatory impact and fines, and or loss of revenue?

This exercise also enables you to measure IT security risk and results alongside other business risks that the board tracks, such as supply chain performance, sales results against targets or customer changes. Putting all this data into the same format makes it easier to have conversations around results, as well as what gaps exist that have to be filled.

Alongside this, you can improve your security processes to remove or eliminate risks. This will involve remediation for issues like software vulnerabilities that can be fixed, and mitigation steps for those that cannot be solved. On the remediation side, patching vulnerabilities is the most efficient approach to solving these problems. Automating patch deployment speeds up this process further. For those issues that cannot be patched due to lack of updates or business impact, mitigation moves can reduce the potential risks.

The longer term view for security

For CISOs, the role of security is to prevent risk and stop data loss or interruptions to services that jeopardize the business. However, the old ways to deliver this are not able to keep up with the levels of attacks taking place. On the business side, reductions in spending and operational efficiency will affect how business teams consider risk and security. On the technology side, the growth in cloud-native innovation and AI have opened up more potential attack surfaces and affected how security teams compete with threat actors around deploying attacks.

It is no longer enough to focus on making the business secure against all possible threats. Instead, we have to evolve our approach to de-risk the business as much as possible, so it can win. By prioritising risks that have the most potential impact and highest levels of risk, we can demonstrate that security teams can deliver effective risk management for the whole business, not just IT. This is a necessary change for CISOs to help the business, so innovate around how you run in future around risk.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Rich Seiersen is Chief Risk Technology Officer at Qualys.