Budgeting for Cyber Security post-COVID: Three Golden Rules for the C-Suite
This is not just about tech, and there is no tech silver bullet which can buy you cyber resilience
The COVID crisis is presenting most businesses with unprecedented situations – for good, bad or worse. Uncertainty still dominates but the recession ahead is likely to be deep and could be protracted. Millions of people have already lost their jobs across the world, and many organisations are bracing for further significant spending cuts, in the face of a dwindling economic activity. Even in thriving sectors, budgetary caution seems to be the norm amongst C-level executives.
One thing the pandemic has not pushed off the radar, is cyber security. As a matter of fact, the volume of cyber-attacks increased to “alarming levels” according to Interpol during the heart of the crisis. For businesses now totally dependent on remote working, e-commerce or digital supply chains, a serious security breach is the last thing they want…
CEOs, CFOs and CIOs should not jump to ready-made conclusions around cyber security ahead of their next budgeting round. Here are three golden rules for them to consider as they plan ahead.
Think carefully before making drastic arbitrary cuts around cyber security
Consider carefully and without complacency your actual level of cyber security maturity, and the level of digital dependency the COVID crisis has brought upon you.
Look at the bigger picture: Only serious defence-in-depth can guarantee you a degree of cyber resilience. That means the actual application of protective measures at preventative, detective, mitigative and reactive levels. Doing pen tests every now and then and sending awareness emails to the staff twice a year – while probably better than not doing anything at all – does not constitute a security practice.
Do not ignore your degree of dependency on third-party business partners or cloud service providers, and the implied degree of trust you are placing on the solidity of THEIR cyber defences. How much do you really know of what they are actually doing to protect your data or your processes?
If you don’t think you are in a good place on those matters, now is not the time to cut cyber security spending to the ground.
Focus budgeting on the protection of key assets
Equally, now is not the time to try to solve all the problems you may have around cyber security: You need to identify your key assets and focus efforts on those, whatever they might be: Systems, business processes, business units or geographies.
Focus on clear, simple, tangible, affordable and measurable tasks with a short to mid-term horizon. Now is not the time to engage in multi-year projects, which the general economic uncertainty is likely to affect or kill.
Focus budgeting on areas where you know you can execute
Finally, now is not the time for large-scale and complex pet-projects: Ignore the sirens from the tech industry – there are countless vendors out there with their own “silver bullet” to solve all your problems – and focus on areas where you have the skills to deliver and know you can execute: It’s only the actual implementation of protective measures, across the real breadth and depth of the enterprise, which will protect your business. Not snake oil and false promises.
And limit the complexity of what you are trying to achieve to a level your teams can manage and absorb. Consider carefully the dependencies between the security tasks you are undertaking and the cross-silos implications amongst stakeholders: You may need the involvement of HR, legal, procurement or business executives depending on what you are trying to achieve (for example around identity management, or data privacy compliance). Make sure the priorities are clear for them too.
Fundamentally, remember: This is not just about tech, and there is no tech silver bullet which can buy you cyber resilience – irrespective of what countless vendors would like you to believe. It can only come through concerted action at people, process and technology levels, and the real execution of protective measures.