One of the most interesting conversation starters for a consultant is when a client tells you, “We want to be as secure as a bank.” Assuming the organization isn’t in the business of providing financial services, a good consultant will always reply with, “Why?”

It sounds reasonable to aim for bank-level security, right? We know that banks secure a lot of personal and financial information, and they typically develop increasingly sophisticated ways to manage cybersecurity investment and risks.

But here’s the rub: Most organizations will struggle to justify the same level of security spending as a banking institution.

Develop Your Cybersecurity Road Map

Security practitioners use a variety of tools to assess the current and target states of an organization’s cybersecurity position. Often, we use risk as a starting point: What’s your current risk — and what residual risk is your organization prepared to accept? The difference between these two states will drive your cybersecurity road map.

Other times, we assess capability: How well-developed and consistent are your cybersecurity practices, and how well do they enable the security outcomes your organization expects? Look at the intersection of business goals, technical constraints and availability of resources.

Maturity assessments help you understand your company’s gaps in these areas. Sometimes, it can reveal cybersecurity investment in capacities that don’t support business goals — so it’s better to redirect these resources to initiatives that will have a more significant impact on risk mitigation.

Whichever method you use, one of the outcomes will be to develop a business case for your security road map. A major challenge for organizations is to think of cybersecurity in a strategic rather than reactive manner.

This adjustment can be tackled by asking the following questions:

  • How do you formulate a target cybersecurity state for your organization?
  • How can the case for change be developed cost-effectively?
  • Which business benefits justify the cost?

Once you know the answers to these questions, you’ll begin to understand where your organization’s priorities lie, which will help guide your investment decisions.

Use Industry Benchmarking Wisely

Industry benchmarks are reasonable starting points to define your cybersecurity target state, but you should always take them with a grain of salt. A business case for cybersecurity investment that amounts to “because everyone else does it” is not a valuable or actionable directive. That said, benchmarks can help identify potential security gaps in your organization. Use them to initiate security conversations with management, but always consider your organization’s unique business needs and objectives.

To understand the potential difficulties of benchmarking, consider two retail outlets: One that runs a standalone e-commerce shop, and a traditional brick-and-mortar shop with a cursory web presence for contact information. Even if these businesses are in the same industry, their cybersecurity needs are very different.

The e-commerce retailer has to meet electronic payment compliance requirements and poses a much more attractive target to hackers, requiring a more substantial investment in network security. Meanwhile, the brick-and-mortar shop should consider heavier investments in physical security — such as loss prevention associates — at each location. In that regard, an industry benchmark centered primarily around online businesses wouldn’t make sense for a traditional shop and vice versa.

Identify Risks With Heat Maps

If you can’t rely on benchmarks, how can your organization identify the security areas it needs to improve? Threat risk assessment offers a risk-based methodology that helps you understand the risk profile of your critical assets. By generating risk heat maps, you can model the level and types of security controls to meet your level of acceptable risk best.

A heat map will provide a picture of where your greatest cybersecurity risks are. With a standards-based threat- and risk-modeling approach, you can pinpoint the business assets that will benefit most from your cybersecurity investment — and those that won’t.

The advantages are twofold: You can show leadership the impact of not addressing cybersecurity risks, and you can provide a justification for cybersecurity investment.

In particular, there are several business objectives that cybersecurity controls should always support, depending on the organization:

  • Avoid fines for data breaches.
  • Don’t cause an essential service outage to the surrounding region.
  • Ensure life support systems are always available.
  • Protect product formulas or recipes.
  • Protect your organization’s brand.

Whether you start with a capability assessment or a threat-risk assessment, your organization will eventually have to address both risk and capability, since they’re different dimensions of your cybersecurity posture.

If you’re struggling to understand what your cybersecurity target state should be, go back to basics. Look at what you need to secure, and why. Talk to business owners and technology leads in your organization about what you need to protect, and the result will be much more meaningful.

For most organizations, trying to be as secure as a bank makes no sense. Instead, you’ll get more out of your cybersecurity investment and more support for change by aligning your road map to your organization’s business needs — and that means protecting your critical assets, monitoring your threats and keeping track of changes to your risk profile.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…