Achieving Cyber Sustainability

The digital acceleration that has occurred as a result of the recent pandemic crisis is making building and maintaining digital trust of paramount significance in this new world. Protecting data and assets is becoming more complicated as threats evolve. Cybersecurity budgets continue to grow every year, reflecting this complexity. Analyst data shows that spending on cybersecurity is not only growing, but also growing faster than IT spending overall.

Gartner has estimated that worldwide security spending grew 10.5% in 2019, compared to 0.4% growth in IT spending. Considering that Cyber resilience is on top of the agenda for many executives, it’s likely that budgets will keep growing.

Having said that, there is an increased attention from General Management and Boards on the value realization from Cyber Security investments:

More and more, the question of "Cyber Sustainability" is leading to interesting conversations regarding the balance between cyber risk reduction and actual reward to the business in terms of improved agility; and the embedding of frictionless security in the DevOps of the organization and the resulting customer experience. These conversations are also about the quality of the execution on Cyber Security programs.

Below is a 10 points simple diagnostic test to determine if your Cyber Investments are sustainable:

1. Mix of your Build vs. Run Security Budget: This is a key indicator that is expected to vary throughout the execution horizon of a multiyear Cyber Security Program but having a dominant part of the budget captured by Run activities could indicate an unsustainable trajectory. Maintaining some execution headroom for new initiatives is key.

2. Number of Security Solutions used in the environment: Let's face it, Cybersecurity is more complex today than say, 10 years ago. There are different problems to solve and the domain of controls is vast. Having said that, using more than 30-40 (depending on size and scope of the organization) security solutions is problematic as it could result in a fragmentation of the security operations and a limited end to end understanding of the issues by the teams responsible for operating these solutions. Platforms (vs. point solutions) should be preferred.

3. The Cyber Security Architecture: Having a cyber security architecture that is challenged and updated regularly in light of changes in the technology stack and evolution of the threats as well as innovation in the security controls is a way to ensure that cyber security programs are (right!) outcomes oriented by aligning to key architectural principles.

4. The Cyber Security Analytics Program: Effective Cybersecurity relies on the correct interpretation of a rich telemetry generated by the different security controls in the environment as well as external signals. One might think therefore that the domain, given its reliance on weak signals detection and rapid correlation between events, should be a key consumer of innovation in AI/ML, Big Data Management and Advanced Analytics. Unfortunately, this is not generally the case. Having a Cyber Security Analytics initiative with the right ambition (and execution) is an important contributor to Cyber Sustainability.

5. Yearly execution and efficiency Targets:To what extent is the Cybersecurity program subject to clear and measurable targets? How often does it meet them? This is more about ensuring a continuous improvement mindset that is essential in this field via some transformational opportunities as opposed to mechanically chasing budgetary efficiencies and meaningless programatic maturity.

6. Outsourcing of Commoditized Activities: A sustainable Cybersecurity program defines what activities are commoditized and which ones are strategic. A smart allocation of resources by outsourcing commodity activities/services and maintaining direct operational focus on the most critical ones is important.

7. Percentage of previously unplanned Security Spend vs. Total Spend:Blindspots are a reality for cybersecurity professionals. These could take different forms: unknown (vulnerabilities) unknowns in the environment, new regulatory mandates, new strategic business priorities (M&A...etc). Having said that, the capacity to anticipate these evolutions and shifts in priorities is an important component of cyber sustainability. Granted not all can be expected but there is a big difference between a program that constantly shifts in priorities and one that manages to integrate new ones within an existing framework/context. This ratio is an important indicator of the capacity of the program to anticipate.

8. Percentage of obsoleted controls that are removed yearly: Controls over-layering is a key contributor to poor customer (internal and external) experience and increase in operational complexity. Sustainable Cybersecurity programs should strive to always replace ineffective and/or expensive (poor return on risk reduced) controls with more intelligent ones. The focus here should be on addressing inherent risk at the core as much as possible (via enhanced architectures, curated controls...etc) vs. control overlay.

9. Human intensity required to operate your Cyber Security program: automation is a key enabler for the sustainability of cybersecurity program. The more manual the efforts are, the less likely execution is optimized. Obviously not all capabilities can be automated but a significant portion of the operations should be.

10. Percentage of Cyber Security controls operated outside of the Cybersecurity teams: Sustainability is achieved if security controls become naturally embedded in business & IT processes (e.g. DevOps). Turning security into a set of ambient controls helps organizations leverage the full strength of their human firewall and makes the issue everyone's responsibility. Only by getting to that level of commitment and engagement can a Cyber Security program become sustainable.