When it comes to how cyber-security issues are prioritised within your business, it's important that your sales manager, marketing manager or CFO are intimately involved. Why? Because your cyber-security strategy is a strategic issue and your IT department is not always best placed to make important decisions or calls
You are like most enterprise IT shops I know, you have limited resources which need to be spread across competing projects. How do you prioritise these? Do you roll out the new financial package demanded by the CFO, work on the next new feature release for the product team, undertake the IT refresh your end-users have been demanding, or divert resource to make sure your cyber-security posture is adequate? Another way of looking at this is, do you protect what you have, or focus on future value.
The old sales adage is it costs five times more to find a new customer than to keep an existing one. If you store private customer information, or your brand reputation is at risk due to some sort of cyber-breach then it seems pretty clear to me where I would be putting my focus. That’s why cyber-security should be on the board or senior management agenda – it’s unfair for the IT department to make these calls. I can perhaps hear a few CIOs and IT Managers breathe a sigh of relief. The other good news is that if you analyse the potential cost of a cyber-security breach in terms of lost revenue, brand reputation, lost productivity or other strategic measures you may be able to move some of those security related tasks you have on the back burner up the priority list and even obtain additional budget.
The business case for cyber-security is always difficult, it’s hard to prove that you stopped something from happening and therefore demonstrate the value you provide via some sort of return on investment. The obvious analogy is that of insurance; how much can you afford to lose by not investing is some sort of protection. If you are a business that operates on-line then the real value is in the level of trust that your customers have dealing with you versus your less trusted competitor.
You should achieve a level of security that is appropriate for you, you should identify what matters most to you as an organisation and focus on protecting that. You might be surprised what your most critical systems or assets are when you take a closer look. It might be your brand reputation, your customer base or your ability to do a specific task.
What happens if that critical function stops – what are you willing to pay to get it back? This might put new perspective on how you prioritise security related initiatives in your business.