Cyber security is big business: In 2022, businesses spent 9.9% of their IT budgets on it, according to one recent estimate. That level of expenditure looks set to grow. Analyst firm Gartner expects global corporate security and risk management spending to increase by over 11% during 2023.
But here’s the irony: Why are those very same businesses continuing to fall victim to ever more malicious attacks? Ransomware attacks can lock businesses out of their corporate IT systems unless they pay a hefty ransom. Or intellectual property thefts, which see technology, product formulations, and other sensitive corporate data stolen with seeming impunity.
Rightly, many boards of directors are worried. Financial loss and reputational damage could hit at any moment. A potential apocalypse lurks around every corner—it just needs one employee to open one malicious email or click on one malicious link.
Yet businesses themselves are not without blame. Again and again, they’re shown to have contributed to their own downfall. The lessons of experience are that businesses ignore security warnings, invest too little in cyber security measures, and trust that apocalypse can be averted through good fortune.
And, as with the fabled four horsemen of the apocalypse, four distinct corporate behaviours contribute to this self-inflicted heightened vulnerability. Our view, at Quod Orbis: eliminate these, and the average business’s cyber security posture would undergo a significant improvement.
Arrogance, for instance, is rife in many businesses. Yes, goes the thinking, cyber security threats exist and are out there. But they happen to other businesses, and the chances of actually experiencing a security breach are minimal. “It won’t happen to us,” in other words. Frequently, this arrogance is also accompanied by a failure to appreciate the nature and scope of the threats faced by the business.
Our view: counter this false sense of security with cold, hard facts. Facts contained in the personalised and role-based reports produced by the latest generation of continuous controls monitoring tools. If there are weaknesses and active threats, these reports will highlight them.
Miserliness is another frequently encountered behaviour. Simply put, when it comes to cyber security, businesses are prone to spend too little, too late. Investing in other areas of the business always seems to take precedence: cyber security is important—”but surely we’ve spent enough on it already?”
Our view: Again, let the facts speak for themselves. If budgets really are tight, a continuous controls monitoring solution will identify where additional investments will deliver the greatest cyber security impact. In other words, where the biggest holes exist. These holes can then be prioritised for plugging.
Myopia is yet another problem. Instead of patching security vulnerabilities, many businesses choose to focus their IT teams on delivering services, and ‘keeping the lights on’. These are of course, understandable priorities. Somehow dealing with those security vulnerabilities never seems to reach the top of the ‘to do’ list. The almost inevitable outcome: one day, one of those vulnerabilities will succumb to an active threat.
Our view: What should businesses do instead? Many of those ‘keeping the lights on’ activities have hidden security dimensions—passwords, two-factor authentication, encryption, etc. With improved visibility right across the cyber security estate, much of this hidden security agenda either disappears or can be carried out more efficiently. The result: freed-up IT resources that can be assigned to higher-value tasks with a greater bottom-line impact.
Finally, the fourth behaviour to be avoided is aimlessness. Again and again, businesses take ad hoc approaches to security incidents and security management decisions. Again, it’s a behaviour that is understandable but which has consequences. These usually come in the form of actions and responses that are less than wholly effective and not as strategic as might be desired.
Our view: A properly integrated and holistic security perspective right across the entire cyber security estate is needed. This is the sort of viewpoint that is generated by a modern continuous controls monitoring tool. It can help initiate standardising decision-making, and incident responses become straightforward. The result: reduced cost, improved and more effective incident responses, and a cyber security landscape that is more closely aligned to how the rest of the business responds to agendas such as risk, audit, and compliance.
Why is this important?
But knowing how these various behaviours might be overcome is not enough. What businesses also want to know is why these behaviours should be overcome. And again, our view is clear.
- Improved cyber security through deploying the latest generation of continuous controls monitoring capabilities makes sound commercial sense.
- Reputational risks are always best avoided.
- In today’s interconnected world, any large business is a part of other large businesses’ supply chains—and, therefore, is required to be a safe and secure partner.
- Securing valuable corporate data is obviously good sense, especially since the advent of GDPR.
But most of all, it makes sense because continuous controls monitoring is a true game-changer. Forget the incremental improvement in cyber security seen with traditional tools: continuous controls monitoring transforms the art of the possible, providing an end-to-end view of security status across the enterprise. A view that is truly unconstrained by traditional limits: any control, any data source, and any security framework.
Quod Orbis reduces exposure to cyber risk and maximises security performance through automated, highly visible monitoring and auditing of controls. This drives better risk investment decisions at the enterprise level.