Synchronising company goals and security essentials

From a low starting point, every business has seen its annual spend or investment in technology and potentially security increase over the last ten years.  The COVID-19 threat has in many cases spiked that spend still further as home/remote working solutions changed the operational requirements of the office.  Now as businesses re-evaluate operational models and potentially question their reasons for existing at all, the drive to cut back on costs is mounting. In that sense, the cost of tech and security has become a major focus.  

In an effort to manage costs and ensure that business and security priorities are aligned, many companies are looking to automate significant portions of their cyber functionality by putting digitised cyber risk management processes in place to ensure they match up to the organisation’s top-line operational and business strategies.  

Many businesses miss the concept of business-driven risks, this is the misunderstanding of the connection between change and the consequences of change.  As companies invested in technology and connectivity the perception of value far outweighed the realisation of the additional risks this created.  COVID-19 has brought into focus the disconnect between the value of technology and the cyber risks that come with adoption.  The objectives of the business need to go hand-in-hand with the viewpoint of the cybersecurity team and that is not the case at many organisations. The identification of these risk scenarios should be led by the business.  

The planning/implementation process would be much more effective if it were driven by a model that enables businesses to better understand the impact of security controls on those risk scenarios.  Many companies do not have that insight, often IT providers are too busy selling the benefits of a system or product to fully explain the knock-on effects of security and associated risk/costs.  This creates a challenge to formulate a fluid ongoing relationship between the controls and the business.  We in the cyber community, try to plan for worst-case scenarios, but many incidents happen in relative obscurity and are not earth-shattering, let alone business-shattering.  

We see many companies working to embed security, not only within the second line of defence but within the more operationally focused first line as well as the audit-driven third line. Large organisations have spent, over the last 10 to 15 years, big money on IT security, smaller/medium-sized companies are in many cases still exposed.  The pandemic has demonstrated the increasing role of cybersecurity in the new reality, but there is now a need to deliver that role without raising the cost.  This requires a new risk-based model focused on lowering costs through an automated approach to security and putting the right people in the right roles. 

To facilitate a risk-based model, businesses need to think holistically about where to invest.  Consider what risk scenarios need to be in place, and what controls are most relevant. Whatever plans companies had for digital transformation before the pandemic, they’re now understanding a need to accelerate these in the new reality, while also worrying about the cost pressures.  

Security costs are driven by man-hours and product development, by utilising automation companies can stay ahead of the business risk whilst aligning the cost targets with revised COIVD-19 constraints.  Using automated cyber and risk management processes, many incidents would be quite easily detected if security policies and controls were embedded in the business.  This means companies integrating cybersecurity across all three lines of defence, rather than operating in silos. Leverage threat intelligence from across multiple functions such as fraud and financial crime, and integrate responses and tooling to react at speed to the changing cyber threat landscape and patterns of attack. Make security an end-to-end priority.  

The first action is to establish an ongoing dialogue between the security provider (be it in house or external) and the rest of the enterprise to ensure security is in sync with the business in terms of strategic and operational planning.  To that end, implement engineering approaches — such as secure by design and privacy by design — that are intended to introduce security into the daily mindset of the DevOps team as they craft new applications and services.  

Ultimately, the aim is to see cybersecurity professionals move away from being perceived as an IT-driven function and more aligned with the business objectives.  As such, the cyber team needs to be business-led and business-aware. 

At Melius we have developed MELCaaS our automated cybersecurity product that can be tailored to your organisation, we believe it is the best in class for cost solution on the market today, to find out more please visit our website: