Despite the fact that data breaches now cost large organisations between £1.46 million and £3.14 million, security budgets remain static, with a new Information Security Breaches Survey (ISBS) revealing that only 46% of large organisations expect their information security spending to increase in the coming year.
It appears that many CISOs still struggle to articulate the value of their information security programmes when attempting to justify the security budget to their executive teams.
This problem is further supported by a survey highlighting that CISOs are viewed by the board as poor communicators, who struggle to translate the benefits of information security into real business terms.
There is a clear disconnect between the breadth and depth of information being sought by the board, and the information being offered by the CISO.
Anyone in the information security field will agree that it is challenging to quantify an information security strategy’s ROI, and difficult to estimate the exact cost of a specific breach incident. It is important to note, however, that most ROI and risk questioning tends to cease when a real data breach occurs.
But how do you know whether you are protected against an attack, or, at the very least, protected from the most damaging consequences after an attack?
As one cyber security expert put it, “most of us have no clue as to when the next attack is going to hit — we’re just hoping what we have in place now is going to be sufficient to keep it from occurring”.
Being able to provide the right level of information about cyber security, and what this means to the business, is the crucial part. Without the facts, your plan means nothing.
It is concerning, then, that 32% of companies in the ISBS survey hadn’t carried out any form of security risk assessment. A full risk assessment of a company’s critical infrastructure vulnerabilities forms the basis of any business case, and should provide a detailed breakdown of the current gaps and what needs to be done (and how much it will cost) to address those gaps.
vsRisk™ is a specially formulated risk assessment software that is aligned with the international information security standard, ISO 27001:2013, and enables the risk assessor to conduct a risk assessment much faster, and without the associated consultancy expenses. The software produces six reports that can be used to illustrate the full range of risks and the associated controls implemented, and helps to facilitate compliance with ISO 27001.
The ISBS also highlights that 26% of organisations don’t evaluate how effective their security expenditure is.
In addition to the security risk assessment, results from vulnerability scans, intrusion attempts and penetration tests should be summarised to provide a high-level overview. This should be accompanied by information regarding the strength of security controls and the level, nature and source of any penetrations.
NASCIO recommends the following items be included in the development of a security business case:
- Risk assessment
- Security planning and policy
- Certification and accreditation
- Specific security controls
- Authentication or cryptographic applications
- Education, awareness and training
- System reviews/evaluations
- Contractor reviews, inspections, audits and other evaluations
- Privacy impact assessments
- Enterprise architecture
- Oversight or compliance inspections
- Development or maintenance of agency reports and corrective action plans
- Contingency planning and testing
- Physical and environmental controls for hardware and software
- Auditing and monitoring
- Computer security investigations and forensics
- Physical security for facilities and access controls
Without a clear and evolving business case, combined with an effective presentation of the facts, the company will always fall short of adequately addressing the actual security risks it faces. And, in the end, the CISO will be blamed for not investing in the appropriate solutions.