How to invest wisely in cyber-security

Welcome to the final article in our series on strategic cyber-security planning. As ever, there’s an accompanying masterclass video produced by Business Reporter, and we’ll be kicking things off with another misconception from the world of cyber-security.

Unlike some of the previous examples, which mostly come from a lack of understanding, this misconception is one that’s actively and knowingly perpetuated. The majority of people believe that spending equals security, and that only the newest security products can counter the latest threats.

Why? This myth’s origins are far from mysterious. It’s the direct result of years of concerted sales and marketing efforts from security product vendors. And when the global cost of cyber-crime is 100x that of cyber-security investment, it’s easy to see how businesses get sucked in.

Once again, we’ll be drawing on Mo Ahddoud’s 25 years of experience in the cyber-security industry to examine this misconception, debunk it, and show you how to invest wisely in cyber-security. You might be surprised at what the recommendations are!

As ever, if you want to learn more about the topics covered in this series and receive actionable advice to improve your own cyber-security outlook, you can download our free guide linked at the end of the article.

Determine clear outcomes for your investment

In the previous articles, we’ve looked at why your business needs a cyber-security strategy and how to create one. A key part of that process is understanding what you’re trying to achieve—the end-state where your organisation is secure enough for the level of risk you’re comfortable with.

Remember: you can’t prevent every single threat your business faces. Typically, all you can do is mitigate the most serious ones and put a plan in place to recover quickly from any incidents.

Still, your aims should reflect the nature of your business. Some assets will be more critical than others and the outcomes you set for your cyber-security investment should reflect the areas of greatest importance for your business.

Review your existing capabilities

Many companies have invested in security tools without a focus on measuring the outcomes they’re looking to achieve. This means that they end up with tools that aren’t being used as intended, to their full potential, or for the aims of the business.

That’s why part of our assessment of any business is a review of their existing investments. We determine whether these are being utilised to meet the organisation’s goals. All too often, a cyber-security ‘strategy’ at a business that doesn’t fully understand its aims consists of simply spending money on new tools year after year.

Investment alone doesn’t offer protection. Hackers won’t care about the size of your security budget if none of the tools are properly configured or protecting the right assets.

New tools are rarely the answer

It’s far from unusual to find that organisations aren’t using their tools fully or correctly. This gives us the opportunity to help companies understand the capabilities they have with their existing tools and whether those can meet the organisation’s needs.

Every so often, the answer is that no, nothing present can deliver what we need right now. But it’s usually the case that with greater understanding, a bit of time, and perhaps just a small additional investment, we can deliver appropriate protection inexpensively with the tools already in place.

See what your digital services offer

One overlooked area is that many of the components of digital transformation—technologies like SaaS offerings and cloud—come with in-built security functions. These can provide a perfectly good level of protection if correctly configured or optimised.

In some cases, it may simply be a case of enabling the embedded security features within these services. That could be all it takes to protect your business!

Measure performance

However we get there, whether it’s through making better use of existing systems, enabling features from other services, or investing in new products, eventually we will have the right tools for the job. So what then?

Remember that we started with outcomes, and that throughout this series, we’ve reiterated that security strategies are live documents. Plenty of companies have invested in people and processes without being invested in the outcomes.

That buy-in to really achieve those aims means measuring the performance of these tools and continuing to improve how they’re optimised for your business.

Don’t believe the hype

The cyber-security market is driven by sales and marketing spreading fear, uncertainty, and doubt for the sake of sales. But throwing money at the problem almost never solves it.

The key is to understand your organisation’s desired outcomes and whether your investments can provide them. More often than not, the answer is right under your nose!

At Chameleon Cyber Consultants, we pride ourselves on recommending only what our clients need instead of pitching expensive new tools. We do this by understanding business needs and goals first, and you should follow the same approach.

This article wraps up our series on strategic planning, so keep an eye out for the next topic and don’t forget to download our free guide now for practical tips to secure your organisation.