“Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” – Sun Tzu

I was in a meeting recently discussing a client’s approach to cloud security when the client astutely pointed out that organisations should be focussing on their business strategy first and then using technology – be it cloud-based or otherwise- to achieve it. I agreed, also pointing out the importance of security being regarded as a critical enabler of any digital business initiative. (See our previous blog post for some insights into security as a business enabler).

Spend vs Return

When it comes to cyber security, it’s a fact of life that there will always be a ‘flavour of the month’, be it cloud security or digital transformation or my own personal favourites at the moment; machine learning and artificial intelligence. You only need to look at some of the more prevalent hype cycles to understand the noise that Sun Tzu refers to in his famous quote!

One of the biggest challenges in setting out your business strategy undoubtedly begins with budget – specifically how to allocate it wisely. And this couldn’t be more relevant in relation to cyber security. It’s no coincidence that security spending is on the rise, year after year, when its profile has never been higher.

In fact, worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion.

So, how do I ensure I’m maximising my investment?

This is a question we’re often asked by our clients. Here are some insights from the Digital Resilience team to help you spend your security budget in a cost-effective manner:

Security Capability Maturity Assessment

In assessing cyber security, it’s important to consider the controls and capabilities your business needs, given the nature of the industry, your business objectives, regulatory landscape, and risk profile. Rather than spending indiscriminately, this will guide you to addressing your key business risks appropriately.

Avoid Snake Oil!

Every year brings new must-haves being touted by vendors as the ‘next great solution’ to your security woes. But before investing in the latest technology, make sure you’re addressing the basics. That means addressing many of the elements of good cyber hygiene such as patching, access control, auditing and monitoring. As long as the basics are not in good shape, this is where any increased spending should be allocated first.

Buyer beware

Carry out thorough due diligence on potential partners or suppliers to ensure they have a good track record. Remember that many of the data breaches that make the headlines are actually due to a failure of controls on behalf of the supplier, rather than the organisation making the headlines itself. The same is also true when dealing with security consulting companies or solution providers. Your first port of call should be to check how much experience they have in this space, who their customers are, how much their customers use them and importantly, whether they’re aligned to your strategic business goals.

Gartner highlights that organisations are increasingly using outside help with security, in the form of consultants and managed service providers. That makes our last point especially relevant. With 2018 still fresh in our minds, here’s to a more secure 2019 for everyone.