Higher overall budgets
In our experience from customer interactions: Yes, budgets are limited – as almost everywhere in a company. And to have “more budget” does only partially solve the problem. Today, security budgets are often handled as a part of IT cost, this creates a trade-off between investments into operations vs. security. In our customer discussions we often recommend following a risk-based approach to have a pragmatic view on what measures will improve the security overall – these can be organizational and technical. Deriving a roadmap and allocation requires budgets accordingly. To have a clear roadmap and being able to argue on how it will increase security can lead to approvals of additional measures as management often has the awareness to do “something” and therefor can be convinced on the “what”.
Better working models
The discussion of new working models goes across the sector. With the influence of talent shortage and – even more critical – talent loss (people leaving the positions in security) it is a question to be actively raised. In security there are parts of the work that typically require being on site at least part of the time. Now the corresponding other side is being considered. Two underlying questions have to be taken into account:
- How can such a model be set up so that not everyone has to be on site all the time?
- How to navigate weekends/holiday seasons with partial requirement for someone to be there (thinking of incident handling etc.)?
Our hint even for cybersecurity experts: security in home office has to be considered e.g. via multifactor authentication, secure password rules and e.g. supported by a Pen-Test on the VPN environment.
Risk influence reduction
So far, a path to reduction of risk influence was trying to close a cybersecurity insurance. This on the one hand can outsource the risk in terms of cost but is has gotten harder to find coverage at a reasonable cost. On the other hand, risk influence reduction should be seen as a challenge for the organizational and technical measures within the company. From segmentation to 24/7 monitoring with potentially an external partner is all about detecting early, reacting fast and limiting the influence. Also, several endpoint security providers (EDR / XDR) offer no-attack-guarantees when using their solutions (backed-up of course via an insurance). With our customers we often discuss if an insurance is the way – well yes, it is an element but does not relief the people responsible of looking at the risk and trying to reduce it.
Higher work recognition
We have the impression that the recognition of work especially in security is one element that has not got the attention it deserves. Two views on this area:
- There are not many positions in companies that have a personal career risk if something happens, that maybe you even cannot really influence. If a company faces a ransomware attack, maybe the team did everything they could to prevent it and it still happened – as we all know there is not such thing as 100% security. As the community is small in security, the risk for the team is to have this sticking with them for future applications and we as a community have to see, that we have a differentiated view on it.
- Cybersecurity is one of the things, where it is hard to be “good” at. If nothing happens maybe the team was good at preventing risks or maybe also just lucky that no one tried hard enough. Again, if something happens the immediate pressure is high since the future of the company is on the line. So how can we show others in the own organization what “success” is and appreciate the team for their hard work?
We made good experiences with a good integration into the internal and external cyber-community incl. the attendance at fairs and looking at security educational programs as incentive.
We see us as CyberCompare contributing to all these four points: by analyzing the status quo and providing a comprehensive report to show fields of actions and priorities. Many of our customers use our report to create awareness at top management. Also, through our offer comparisons and tenders companies in many cases safe significant budgets. Comparing offers saves not only costs but also resources, which enables many of our customers to better implement their roadmap and gives employees the opportunity to focus on their important issues. We always see the “classical” +20%, +30% additional costs comparing based on the same specification. However, sometimes we even see a factor of 2 to 3 which clearly shows the need to have a transparent and independent comparison process.
Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.