Deepti Gopal, Director Analyst at Gartner explains that the time has come for CISOs and cybersecurity experts to evaluate their strategies to move away from deploying defence capabilities and move towards adopting proactive measures
Cybersecurity discussions often begin by emphasizing the potential losses from not investing in it. However, crafting a robust and effective cybersecurity strategy centred around defence presents a formidable challenge when it comes to validating and securing funds. The return on investment (ROI) associated with defence often remains elusive, as usually only defence failures can be measured.
Consequently, Chief Information Security Officers (CISOs) find themselves compelled to redefine their narrative and shift away from emphasizing defence alone.
To secure executive support and financial backing, CISOs must instead redirect attention towards implementing proactive measures aimed at mitigating risks effectively while simultaneously enhancing overall security performance across various organizational layers. By presenting this alternative perspective centred around strategic action rather than passive protection, CISOs have a better chance of gaining both buy-in from key decision-makers and adequate resources necessary to fortify their organization’s cybersecurity posture.
Flipping from Hygiene to Consequence Mitigation
Pivoting from defence to offense requires organization’s stakeholders to see cyber-risks as consequences of their business decisions. This perspective elevates anticipating those consequences is an important input into business decisions and mitigating them is an integral part of business strategy. A successful implementation of this shift demonstrates that cybersecurity isn’t just a matter of hygiene; it’s a critical survival factor for the business.
Shift from Harm Prevention to Harm Mitigation
A strategy focused on trying to prevent all harm is not productive. It encourages the wrong thinking, and ultimately results in the wrong investments. In contrast, mitigating harm is not trying to prevent the various ways of getting attacked, but investing in technologies that can prevent the harm and be effective for the organization in the long run.
CISOs can link their efforts to mission or market differentiation when they avoid the complexity of the various ways harm occurs by gaining a better understanding of the effects and how to mitigate those effects. Additionally, it is the wiser investment since it can be proven. New attack vectors will always emerge, so “perfect protection” cannot be guaranteed, but “rapid recovery” is an achievable goal.
Safeguard the Value Proposition
Understanding which business capabilities are vulnerable or most impacted by cyber effects is crucial for CISOs to effectively safeguard their organizations by allocating resources efficiently. As a result, CISOs can articulate clearly how investments in cybersecurity directly influence the enterprise’s overarching mission or market performance. Ultimately, it also helps the decision makers in the organization to understand why investing in robust security systems and protocols is not only essential but also directly tied to sustainable success in today’s digital marketplace.