Your security journey; more for less, post COVID-19. 

News and information from the Advent IM team.

Thank you to our Head of Client Development, Derek Willins.

As we endure societal lockdown in an effort to control the spread of COVID-19, thoughts turn to imagining what will change when it’s beaten. I suspect that business continuity, business resilience and risk management will be high on most agendas for a while, alongside the financial restrictions that will decide what gets done and when. Supply chains will be overhauled, as will working from home policies, and mobile equipment. Digitisation will increase, as will automation and complexity. Quite what all the ‘new normals’ will be in two or three years is too hard to call, but it will look different from today.

There is one certainty though. Online crime will continue to grow. Criminal activity has stepped up during the crisis with sophisticated health and virus-oriented phishing and ransomware campaigns; as well as heartless physical attacks on ambulances, and thefts of hospital oxygen cannisters. Our enemies are merciless and cruel. Unified and better-constructed security defences have to be part of the inevitable reviews which will happen. However, I suspect the usual objections to change will centre around finance (specifically ROI) and, how do we get more from less. This latter issue I want to address.

Advent IM’s long held philosophy has always been, that holistic security (one-team, information, IT, physical) is more efficient and effective than unconnected silo’s, and that excellence can be achieved with modest budgets.  Underpinning this philosophy is that people and process are the master, and technology is the servant. All too often in the search for quick solutions, the lure of expensive technical security solutions (without good people and process around it), has usually failed to deliver on expectations. A more balanced approach of people and process with technical support is the strategy which brings affordable effectiveness. It was a pleasure therefore, to discover some data which supports Advent IM’s philosophy.

A few months ago, a new report* was published, which caught my eye.  It’s a document providing us with a view of the current state of Information Security including current risks and trends, organization structures, and budgets.

There is an analysis of the respondent’s security budgets (as a % of their IT spend) and their security maturity status (based on 0-4: 4 being optimal). Each respondent is then put into 4 quadrants. The two axes are, the (group average) budget, versus the (group average) security maturity.

Advent im security spend vs maturity

Conclusions from the report;

  1. There is absolutely no correlation between security spend and security maturity.
  2. There are high security spenders, but with a low security rating (B), and some low-spenders with a high security-mature (A).
  3. The A group with strong maturity and low expenditure, are spread across different industries, and represent about 11% of organisations in the sample.

At face value then, the report tells us that security maturity (excellence, resilience) can be achieved, without massively high investment (less than 7.2% of IT budget). Clearly these organisations have something to teach everyone. Sadly, the analysis stops short of identifying their common attributes.  However, there are some inferences that can be made.

The security maturity measure starts at 0 (Non-existent) to 4 (Optimised. i.e. business enabler). On average the sample scored 2.06. This puts them in the ‘Defined’ level which means they have defined security formal process, roles and responsibilities and its all communicated. So far so good.

The next level up (3) is where the A group are getting close to. This means they measure and test that process is working effectively, KPIs are set, some automation is used, and regular reviews and audits are conducted. In short, the A group ensure their way of working is effective and adjust as they go – and all done at below the average expenditure of 7.2% of the IT budget. In our experience, only people and process supported by the right technology, make this happen.

Our experience tells us that most organisational leaders are satisfied that their security operation is currently fit for their purpose. It’s also true that the same people want security to be a bigger part of their business culture, but rarely have a plan to make this happen.  However, the evidence is clear that more can be achieved with reduced expenditure, and that all organisations, however confident, should be constantly reviewing and testing what they do. Partly because threats are constantly changing, and partly because great security is an enabler of innovation and productivity.

The financial circumstances post COVID-19 will demand that operational improvements are made. More cloud, more automation, more devices, more data, more risk. Security by design and default, means that planning for a more affordable and more effective security function in a post COVID-19 world starts now.


*Source; Capgemini Information Security Benchmark 2019. Based on 105 companies in EU across 4 large Private channels (Utilities, Finance, Consumer, Manufacturing). CISO’s and CIO’s views.

 

 

Share this Post