Why cyber value is like a BLT sandwich
Whenever we work with a new customer at th4ts3cur1ty.company, one of the first things we look at is the cyber value they’re currently receiving. Essentially, we want to know whether they’re spending wisely on cyber security and getting their money’s worth.
Before we get into this, let’s start with a caveat. At th4ts3cur1ty.company, we don’t name our customers. So any references to companies or industries is just for storytelling purposes.
To spend or not to spend?
The topic of whether or not money is being spent wisely in cyber security is an interesting one. We even see people that are very senior in cyber think that the more money you spend, the more secure you are. And in some cases, yes – needing to spend a lot of money is the cost of becoming and remaining secure.
For the government or armed forces, not spending any money on cyber security would be incredibly naive. Equally, there tends to be high spending in the public and financial sectors, although these are often by huge companies with a large amount of staff and widespread coverage across one country or multiple international areas. However, the key thing to remember is that…
The act of spending money in itself does not make you more secure.
One of the struggles for Chief Financial Officers (CFOs) is trying to understand where that balance is. You can have a really passionate Chief Information Security Officer (CISO) or Head of Cyber wanting a shopping list of items for the company’s cyber defence, and it’s then up to the CFO – or other budget holder – to try and unpick whether or not there’s actually any value for the business.
At th4ts3cur1ty.company, we often have companies come to us and ask for 24-hour SOC and SIEM plus 200 days of pentesting, for example, which might not make sense for their business. We always take a thorough look at what they do; they might be a company that doesn’t hold any sensitive information, or they objectively just don’t need such mature defences. We would explain that for them, this would not offer cyber security value and would likely lead to an inevitable “no” from the budget holder, so those discussions would be a waste of time. It’s crucial to remember that spending money doesn’t make you inherently secure; it’s how you spend that money which matters.
Cyber value - it’s just like a BLT sandwich!
So, are you spending money on software and services that you need to have, or are you spending money based on what you’re frightened of? Perhaps you are someone who does need to spend a lot on cyber security, but you’re spending in the wrong area because it’s not in line with the company’s business objectives.
This isn’t about doing cyber on a shoestring; this is about ensuring that however much money you’re spending, it is aligned to what that particular business actually requires.
Time and time again, we see individuals that come to us with a shopping list. For me, this is a major red flag. A shopping list where you simply have money to burn is not a strategy. It’s certainly not a cyber strategy.
At the risk of making you peckish, here’s where the BLT sandwich comes in. You might say to yourself, “I’m going to make a BLT sandwich, and the end goal of this for me is to eat the BLT sandwich. However, I don’t have any of the ingredients, or the time to make it.” What you essentially have is two book ends, and the strategy in the middle is the map of how to get there.
So then you might think, “I need a shopping list,” so that you don’t go down every aisle in the supermarket and pick up random stuff that you don’t need, because you wouldn’t be meeting your objective. And you wouldn’t suddenly say, “I think I’ll throw some cheese in, or maybe I’ll add some avocado,” because then you’ve expanded the scope of what your initial objective was.
This is what we’re often finding that people in senior cyber positions are doing. We find that this also happens quite regularly when the business brings in a new CTO, CISO, Head of IT etc, who might decide to deviate from the existing strategy. Rather than ending up with bacon, lettuce, tomato, bread, and butter – which would be meeting their objectives – what they’re ending up with is a whole salad and half a pig! Then they can’t get sign-off from the CFO, who is looking at it thinking, “I really don’t understand how giving them access to all that money is going to get the BLT.”
Strategic goals should determine your cyber spend
If you’re unsure where to start, my advice would always be to lock in on what the organisation’s goal is, and then figure out how your cyber security spend can help meet it.
For instance, if you’re a manufacturer of a physical product and you can no longer make that product due to a cyber attack, you’ll lose money. The factories themselves, the software that records what’s been made on the factory line and whether or not the distributors have received them, the systems that tell you whether the product has been delivered to the shops – all of these are critical components of your business’ success. Similarly, if you sell plane tickets and your site is down or is too slow, you risk your customers going elsewhere. Obviously you would still need to protect your perimeter, but the key to ROI in cyber security is to ensure that you’re securing these crucial systems, and work backwards from there.
However, when determining your cyber value, it’s important not to forget the basics. By this, I mean looking at what tooling you already have, and what the configurations are that will help make the most of them. This is important no matter the size of your company’s budget, but especially crucial to those with small budgets, or where every single penny counts. For instance, for a non-profit that stores the data of sick adults or children, it’s vital to protect that incredibly sensitive data. If their limited spend is coming from the NHS or donations, they may not have the funds to spend on an elaborate cyber security training and awareness schedule when they should first be addressing whether they are keeping their data secure.
This is where consultancy from experts like th4ts3cur1ty.company can help you understand what you already have to work with, and what you should prioritise to ensure you’re getting the best ROI.
How do you work out your cyber value?
If you’re a company that’s really serious about assessing the ROI of your cyber security (and you should be!), I would recommend checking out our Adversary Emulation Purple Teaming page. It’s a combination of penetration testing, red teaming, blue teaming and more (just like a BLT sandwich, all the components are important for the best result!). Our Adversary Emulation Purple Teaming process will not only test your current cyber defence capabilities – including testing your people, tools, and technology – it will look for things like duplication of functionality, weak SLAs and weak processes. Essentially, we’ll give you a clear picture of whether the money you’ve already spent is working for you, and the information we provide can then be used to improve cyber defences or reduce costs.
Here’s an example of how this can work. One of our Adversary Emulation Purple Team customers (shall we just call it AEPT for now?) knew they were going to be reducing their headcount at some point in the near future but they were unsure of where to make the reductions. They knew that some might be in their SOC and some might be in cyber governance, but they just didn’t really know where. They also knew that they needed to keep some tooling, but they weren’t sure what could stay and what could go. So th4ts3cur1ty.company identified which areas were overstaffed, as well as uncovering that they had paid two different companies for two different sets of tools that were doing pretty much the same thing. We recommend keeping the one that would work best for their business in terms of security functionality.
Four questions that we ask during our Cyber Efficacy Assessment – another comprehensive, top-to-tail service that will help you determine whether you’re getting cyber security value – are as follows.
- Can they demonstrate an improvement to the bottom line of the business after investing in security?
- Are they actually more secure as a result of financial investment in cyber defence thus far?
- Is investing in internal or external cyber security the most strategic approach for them?
- Is the spending on cyber security justifiable for their business?
th4ts3cur1ty.company always ensure that we make the recommendations that are best for the company, whether that’s the most lucrative path for us or not. In the case of the customer mentioned a moment ago, we were also able to help them rescue a service that they had with another vendor that their internal staff were complaining about due to not receiving the correct alerts or information. In fact, the other vendor was actually doing what they were contracted to do, but information was being sent over to a Slack channel which had been muted.
Back to our BLT sandwich (also, this is your sign to make yourself a BLT when you finish this blog!), if your strategy is to grow your sandwich business over the next five years, you’ll want to make as many tasty BLTs as possible. But then you might bring in a new Head of Sandwiches to execute that strategy, who decides that they want to make the bacon vegan! This can dilute your core strategy and divert expensive resources into exploring other avenues, all while your BLTs are not getting the attention that they need and the quality is declining.
So when we’re trying to determine cyber value, we’re assessing whether the technology is correctly configured and utilised, we’re assessing whether the people are performing and in the best roles, and we’re assessing whether the processes in place are working correctly. We look at all of these factors and determine whether they enable the business whilst being secure, or if their security processes are locking down the business in a way that it’s less likely to generate the income needed at the speed required. You might be spending money on a SIEM solution when you don’t need that full functionality, or you have other tools that can do the same job. This helps ensure that when you are spending on cyber security, you can spend in exactly the right places.
In conclusion
When it comes to determining cyber security value, think of it this way; your CFO will want to know what position you would be in if you hadn’t spent money on evaluating your business’ cyber security. If you don’t have the evidence to back up your recommendations and then hand the CFO a large bill, they could well think that because you’ve not been hacked or had a data breach, there’s no ROI there. Essentially, they don’t know all the components that will go into your BLT sandwich.
It’s only by ensuring that you have a clear understanding of the people, processes and technology (or indeed, your bacon, lettuce and tomato), you can make decisions to generate cyber value that align with your business goals. And the th4ts3cur1ty.company experts can help you with that; whether it’s looking to test your security operations, people, processes and implementation with Advanced Emulation Purple Teaming, or simply discovering how to apply your funds to maximise business ROI with our Cyber Efficacy Assessment.
Get in touch to find out more at [email protected].
