Balancing Cybersecurity and Business Pressures

Small businesses create two-thirds of net new jobs and drive innovation and competitiveness that produces 44 percent of U.S. economic activity (SBA Office of Advocacy, 2019). According to the 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, however, nearly 9 in 10 (88%) of U.S. respondents indicated they spend less than 20% of their overall IT budget on security. The same report found that nearly 70 percent of SMBs experienced cyberattacks. These findings highlight two misconceptions that lead organizations to prioritize their security investments incorrectly.

Some organizations believe spending more will improve security and reduce their susceptibility to attacks. Throwing money at the problem might increase security, but not necessarily. The goal should be to invest properly in people, processes, and technology that will help reduce and manage risk at an acceptable level. Security spending will not prevent a breach, but spending the bare minimum (or nothing at all) increases the likelihood that controls and procedures to contain the breach and provide remediation will be ineffective or won't exist. 

Other organizations believe that prioritizing compliance will make them more secure. These organizations design their corporate security programs to make regulatory compliance the highest priority. Security concerns above and beyond compliance fail to compete with other business priorities that demand the attention and resources of the organization. The number of "compliant" organizations suffering from data breaches in the past few years reinforces the problem with making compliance the highest priority. More organizations should adopt the perspective that "compliance is the residue of good security," which Malcolm Harkins and others have argued consistently for years. Again, investing in and prioritizing security will not prevent a breach. The right investment and prioritization will improve the response and reduce the impact of a breach when it occurs.

How should organizations balance investing in security people, processes, and technology to protect operations against sustaining and expanding operations to generate the revenue required for security investments? There is no easy answer; it truly is a balancing act. Ideally, security should become so integrated into the fabric of the organization that business decisions are security decisions. Then, as organizations develop strategies for addressing business pressures and growth, they will also consider the security requirements associated with executing their business strategies successfully. This will produce much better outcomes than throwing money at the security problem aimlessly or complying with every regulatory framework facing the business.

HT: Thanks to Malcolm Harkins and Blake Holman for helping to improve upon the original article.

This is an abbreviated version of the full content posted at CLASS-LLC. Thanks for reading, thanks for sharing, and thanks for contributing to the conversation.