One of the most interesting conversation starters for a consultant is when a client tells you, “We want to be as secure as a bank.” Assuming the organization isn’t in the business of providing financial services, a good consultant will always reply with, “Why?”
It sounds reasonable to aim for bank-level security, right? We know that banks secure a lot of personal and financial information, and they typically develop increasingly sophisticated ways to manage cybersecurity investment and risks.
But here’s the rub: Most organizations will struggle to justify the same level of security spending as a banking institution.
Develop Your Cybersecurity Road Map
Security practitioners use a variety of tools to assess the current and target states of an organization’s cybersecurity position. Often, we use risk as a starting point: What’s your current risk — and what residual risk is your organization prepared to accept? The difference between these two states will drive your cybersecurity road map.
Other times, we assess capability: How well-developed and consistent are your cybersecurity practices, and how well do they enable the security outcomes your organization expects? Look at the intersection of business goals, technical constraints and availability of resources.
Maturity assessments help you understand your company’s gaps in these areas. Sometimes, it can reveal cybersecurity investment in capacities that don’t support business goals — so it’s better to redirect these resources to initiatives that will have a more significant impact on risk mitigation.
Whichever method you use, one of the outcomes will be to develop a business case for your security road map. A major challenge for organizations is to think of cybersecurity in a strategic rather than reactive manner.
This adjustment can be tackled by asking the following questions:
- How do you formulate a target cybersecurity state for your organization?
- How can the case for change be developed cost-effectively?
- Which business benefits justify the cost?
Once you know the answers to these questions, you’ll begin to understand where your organization’s priorities lie, which will help guide your investment decisions.