• United States



The challenge of managing unlimited threats in a limited budget: cyber security experts comment

BrandPost By Rapid7
Aug 14, 20235 mins
CybercrimeStorage Security
Cybersecurity Digital Technology Security 3D Illustration
Credit: Shutterstock

Get ahead of the curve and understand the threat landscape. Download the 2023 Vulnerability Intelligence Report here.

It's an evergreen issue for CISOs: how to keep the business safe and work within fixed budgets while facing an ever-increasing variety of threats. asked a panel of security experts how they manage this conflict.

The cyber security industry needs better ways to demonstrate its value to the business, according to Raj Samani, Chief Scientist at Rapid7. A lack of established operational metrics that judge how well cyber security measures work makes justifying value difficult.

When you can’t easily measure the return on investment for something as basic and long-established as anti-virus software, Samani argues there’s a real need to quantify the broader value of cyber security, rather than only talking about its cost.

Shanna Daly, Principal Consultant at Cosive, also observed on the security industry's "Y2K problem" - that when cyber risk doesn't visibly translate into a disaster, businesses presume the problem has been overhyped, or simply that it's already been solved. This can result in downward pressure on cyber security budgets, when in fact the cyber security threat landscape continues to grow in size and complexity.

In the current economic climate, finding the right balance between cost efficiency and data security is challenging. Varun Acharya, CISO at Healthscope, said the first step is for businesses to understand that data is at the core of their business, not just a result of it.

Acharya’s views underscore the crucial relationship between business strategy and cyber security. It’s not enough to consider cyber security as a series of technical challenges; it has to be integrated into the business strategy, right from how data is processed to when and how it can be purged once it's no longer needed.

Cyber security as an essential business process

James Turner, Founder of CISO Lens, argues that businesses need to stop seeing cyber security as a purely technical issue. Instead, it should be seen as a part of managing business risks. In his view, CIOs should report to the CISO, because managing security risk is vital to doing business.

Turner’s stance reinforces the need for a structural change in how businesses handle cyber security. As long as security is seen as merely a technical problem instead of a business risk, companies will always be playing catch-up. A shift in mindset is needed across the rest of the C-Suite, to see cyber security as a core business function.

Building trust through cyber security

According to Rapid7's Samani, trust in the digital age depends on strong cyber security and privacy measures.

If a business experiences a security breach, it stands to lose the trust of its customers - a proportion of whom will depart and never come back to the business.

That’s why roles like the Chief Trust Officer are becoming more common, as businesses look to strengthen their reputation and maintain customer trust through strong cyber security measures.

As with everything in life, communication is critical

Good communication is crucial in any situation, and cyber security is no exception. Shanna Daly, Principal Consultant at Cosive, highlighted the importance of security teams bringing solutions to the table, not just problems.

She stressed that for security measures to align with overall business goals, the security team needs to be seen as an ally and a helpful provider of solutions, rather than the team that always says 'no' to everything.

By improving communication, businesses can ensure their security teams are not just viewed as a cost centre, but an integral part of the business process. The end result should be that security is embedded into projects early, rather than at the last minute when it's practically too late to create a secure architecture.

Celebrating success in the industry

Despite the challenge of cyber security, there are plenty of positives to celebrate. One of the highlights mentioned by Rapid7's Samani is the industry’s growing willingness to collaborate and share information. From open-source initiatives to sharing intelligence about threat groups, the industry is becoming far more open and collaborative than it was in the past.

Likewise, CISO Lens's James Turner pointed to increased diversity within the cyber security workforce and the increased frequency of the government reaching out to industry for advice and collaboration on cyber issues as positives.

Healthscope CISO Varun Acharya noted the growing awareness of cyber security’s importance among business leaders.

Cosive's Shanna Daly emphasised the explosion in career opportunities, due to increased visibility across the business and the ongoing skills shortage. She points out that virtually any past job or career has valuable skills that can be translated into the security space, creating opportunities for people to reskill to meet the demand.

Rapid evolution

The bottom-line message from the panel discussion was that the cyber security industry is evolving rapidly on a positive trajectory. While challenges around funding and integration remain, it’s also making significant strides forward. Increasingly, businesses are recognising the need to embed cyber security at the heart of their strategy, and cyber security teams are promoting better communication, collaboration, and diversity.

Find out more here.