When I think about all of the people involved in managing risk and making security decisions in an organization these days, the guy who may now have the toughest role is the CFO. For the rest of us, investing in security technology looks like it should be a relatively easy decision: “Yes, we must have it.” But the CFO has to balance the investment in IT security against so many other things, constantly weighing the cost of managing cyber risk against all of the other costs of doing business. And, more recently, the personal stakes have gone up tremendously as senior executives and Board members are facing lawsuits and potential termination as a result of high profile breaches that damage the company reputation and affect shareholder and customer trust.
In my opinion, those of us in the security industry may not be helping reduce risk for CFOs with the plethora of point solution offerings. Most of these point products are overpriced, overly complex and don’t act in unison. According to a 451 Research report last year titled The Real Cost of Security, “Given the 10 most recommended technologies and the pricing range, an organization could expect to spend anywhere from $225,000 to $1.46m in its first year, including technology and staff.” Considering the costs related to security, it’s no wonder that the CFO might struggle a bit when it comes to investing in this part of the business, even if he or she is fully cognizant of existing threats and the need to protect the company’s assets.
Like it or not, because cyber threats seem to be increasing in scale, scope and frequency, investing in IT security is not a decision that can be put off until next quarter or next year. And if you’re the CFO of a small or mid-size company, you can’t use your company’s size as an excuse to put off this investment; in days past, maybe, but now the bad guys are coming for YOU. Sure, Target, eBay, and other breaches in the news remind us that big enterprises continue to be in the crosshairs of cyber criminals. But, according to the 2014 Symantec Internet Security Threat Report, 30 percent of all targeted attacks in 2013 were aimed at businesses with 1-250 employees; that number goes up to 41 percent if you factor in attacks against businesses of 251-500 employees.
CFOs, I know you care about protecting your organization not just from financial peril, but also from fraud, identity, and intellectual property theft. I know you care about your company’s reputation, and about meeting all of the compliance regulations that your business might be subject to. As you determine what the balance of investment and staffing in security should be versus other business costs, keep these two words in mind: Unified security. By unifying the IT security controls you already have in place—or by insisting that any new security products are unified from the get-go—you’ll get far more out of your existing investments because of the rich contextual threat data the unified controls will provide.
A unified approach to security is necessary because the security game has changed. It’s not just about best-in-breed point solutions promising ‘security intelligence’ anymore; it’s about achieving the higher intelligence that can come from the right combination of protective, detective and response controls all talking to each other to provide a correlated view of what’s happening across your organization, and the guidance to address any security breaches or vulnerabilities.
Good security isn't just about best-in-breed point solutions promising ‘security intelligence’ anymore; it’s about achieving the higher intelligence that can come from the right combination of protective, detective and response controls all talking to each other to provide a correlated view of what’s happening across your organization.
When the people in your organization responsible for security come to you asking for the necessary financial and people resources, here’s a simple checklist of questions you should ask them if you really want to make a good business decision and not succumb to the latest security technology hype:
- What security product(s) are we already relying on?
- If we have one or more security products in place, are they talking to each other? Do we have a comprehensive view of the information these products are collecting? Do we understand what they are collectively telling us?
- What are the gaps in our security posture that we need to fill? As we bring in new products, how easy will they be to integrate with our other security controls?
- How are we monitoring all of our security controls to keep track of any threats coming into the organization? How long does it typically take us to detect and respond to a threat?
- How often are our security systems updated with the latest global threat intelligence?
As the CFO of your organization, it’s your role to challenge any big spend and understand exactly what your organization is going to get in return for your precious dollars. It’s also your job to care about risk to the business. By asking these questions of your security or IT team—even if they are redundant to the questions they are asking themselves as they evaluate security products or services—you can help them stay true to the decision criteria they should be employing before making the purchase. And here’s the best news, especially for mid-size businesses who may not have already invested in all the IT security controls that large enterprises typically have: It’s actually less expensive to start with a unified security management solution – from both a technology and a resource perspective. Most large enterprises that I know wish they could just start over with their security program today, rather than integrate all the technologies they have in place. Don’t fall into the same trap. A unified approach to security is the smart way to invest in this critical business need.
Learn more about our unified approach to security: