When companies average a cyberattack per month that costs them about $3.5 million per year in recovery costs, it’s safe to say that businesses are looking to reduce those costs.  The information provided by the Ponemon Institute report, External Threats: Security Beyond The Perimeter, also reveals the challenges businesses are facing in doing this.

 

The problem is essentially the same as it was last year and the year before, businesses struggle with having the needed expertise, technology and services to address attacks and threats to their enterprise.  However, this particular study takes a different approach to getting to the source of the problem and essentially, it revolves around the business versus security mindset.

When security and risk management vendors are thinking about security technology and services positioning, they do it with the objective of solving security problems.  This is to be expected since that’s the industry they’re in, but when you come at it from a business perspective it’s a different story.

 

A company’s objectives include things like expanding into new global markets or minimizing non-compliance with laws, or protecting intellectual property.  These objectives have one thing in common, running a successful business, but nowhere do we find the connection with running a successful information security program.  This is where the disconnect arises for businesses and security.  It seems on the surface that business growth and security are not related.

The communication gap on this topic is something everyone in the security industry knows and attempts are being made to overcome the barrier in order to help businesses become secure and protect their data, and grow their business.  The CIO has gotten an ear full on tying business success to security measures when talking to the board; of showing the costs of breach alongside the reduced costs that can take place when security is implemented holistically so that executives can visualize and see the connection.

 

Trying to come at security from a business angle is something that is being done, but from this study it is seems that neither businesses nor security vendors have arrived at a sweet spot just yet.

  • From a business owner perspective, it could be that they’re being bombarded with breach news and vulnerability stories, but the stories aren’t really showing them how that affects business growth.  At the same time, everyone has seen how breach affected Target.
  • From a security professional perspective, it could be that there’s not enough news around the complexity of cyber-attack incidents and because the business owner doesn’t get vulnerabilities and risks that they can’t ever really understand the danger of insecurity unless they get breached first.

 

The interesting thing though is that both business owners and security pros want the same thing, to keep the business safe and growing; and they also see the same issues.  When we look at some of the other components to the Ponemon Institute study it shows that:

 

  • Businesses are very interested in maintaining brand reputation.  This is something security professionals highlight too, use security to keep brand trust, to avoid losing customers.

 

  • Businesses know they can’t monitor everything, that a vulnerability can always come about.  Security experts have been stating for some time now, it’s not a matter of if you’re breached, it’s of when you are breached.  It is also why business continuity plans and continuous monitoring are two components of an effective security posture.

 

  • Businesses are not confident in their ability to analyze and mitigate threats.  The security industry has been doing their best, study after study, educational article after article, to let CEOs and the board know, that they understand and that they have solutions.  CIOs and security pros understand that executives can’t analyze the threats when they aren’t aware of all the complexities; that they can’t mitigate threats when they lack the necessary manpower; or that they are investing their cybersecurity dollars in technology that can only do half the job.

 

It’s great to see a study like this point out the challenges business and security are having, but in doing so, it actually makes clear that business and security have the same objectives in mind.

 

As a security company who looks to help businesses in any way we can to learn more about the complexities of a security posture and to really have an eye on vulnerabilities, and the enterprise as a whole, I can say that business growth and protection is our top priority.  It’s safe to say that this is the case for a majority of the other great security professionals and companies out there.

 

With our blog we’re always trying to share risk management knowledge with the CEO, CIO and any business executive who is trying to understand the whole information security topic.  So instead of being divided, let’s come together and talk about your security.  Let’s make sure you are where you need to be to reach your business objectives and stay successful.  We’re really on the same page.
Schedule your free consultation when you’re ready to talk about your risk management and data security needs!  We’re here to help.

 

Photo courtesy of wavebreakmedia