By Steve Durbin, Managing Director, Information Security Forum
As we head into Cybersecurity Awareness Month and continue to emerge from the tight constraints of the global lockdown, organizations are reviewing the lasting impact of the pandemic and unsurprisingly this is resulting in tight fiscal control, with CFOs adopting a freeze-everything and spend-by-exception-only policy.
Is this the correct stance? My long-held position on this is that it will be a very short-sighted business leader who rows back on essential security spending at a time when cyber risk is more acute. Attacks are increasing and many workforces are operating a hybrid office-home-both-undecided approach to location.
A recent Sophos commissioned survey of 5,000 IT managers across 26 countries reported that 51 percent of organizations had been hit by ransomware attacks in the last 12 months, data being encrypted by the criminals in 73 percent of the cases. The most successful attacks were on data held in public clouds. So, the need for security is clear.
But how do you quantify the impact of an attack, and perhaps more importantly, how do you justify a commitment to spend much in-demand budget on a hard-to-quantify risk?
I expect security budgets to continue to come under intense scrutiny, discretionary spending to practically disappear, and for CFOs to insist on thorough, demonstrable return on investment models before giving reluctant approval.
So where are budgets headed? Certainly, only in the direction where the cost can be justified as mission critical and where a return on investment case can be made. Expect to see an increase in contractor hires, outsourcing service contracts where prices are keenly monitored and adjusted regularly, freezing of non-essential contracts such as training, non-essential travel becoming non-existent, and unfortunately, the inevitable layoffs with associated pressure on salaries across the sector.
Will this be a short-term reaction? I hope so.
I also believe that it will provide a realignment of spending into areas where real value is derived. All too often we have seen enormous software implementations without regard for security by design. Well, in a world where cyberattack is another cost of doing business, and where the pandemic has encouraged an accelerated move to digital transactions across all sectors, security is no longer just a nice-to-have. It is a core component of any software purchase.
Making your case
Security leaders will need to learn the language of the business to explain the relation between necessary spending and key performance indicators, alignment with strategy, and cost-saving initiatives.
As cutbacks continue, effective management of resources will be key, but not at the cost of making organizations vulnerable to attack or reputational damage.
Risk management is now top of mind as organizations continue to tighten their belts, and investments are targeted to areas that can add to the bottom line. Security needs to demonstrate it is ready and able to be a core component in rebuilding a more secure and prosperous economy.
About Steve Durbin
Steve Durbin is the Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. He is a frequent speaker and commentator on technology and security issues.
Steve has served as a Digital 50 advisory committee member in the United States, a body established to improve the talent pool for Fortune 500 boards around cybersecurity and information governance and he has been ranked as one of the top 10 individuals shaping the way that organizations and leaders approach information security careers. He has also recently been featured on the top 20 most influential list of leaders whose companies have a vision that shapes the conceptual landscape of their respective industries.
Steve is a Chartered Marketer, a Fellow of the Chartered Institute of Marketing and a visiting lecturer at Henley Business School where he speaks on the role of the Board in Cybersecurity.