"Our approach is to fuse business strategy with business risk," explains Budiman Tsjin, Senior Manager Sales Engineering, ASEAN & Greater China, RSA. "This creates a link based on what our security technology tells us and what it means to the business, which is what we call 'business-driven security'. Using our tools, we can consolidate, streamline and prioritise cybersecurity operations and compliance, but crucially, to create a business-driven security strategy, the tools are not enough alone. You first need to know your assets, what your priorities and what the impacts to the business are in order to budget appropriately."
Budiman Tsjin, Senior Manager Sales Engineering, ASEAN & Greater China, RSA
Steps to Create a Business Driven Approach to Cybersecurity
- Prioritise assets and understand vulnerabilities.
- Quantify business risk and impact if those assets were compromised; determine if your budget is allocated properly.
- Build a strategy to defend those assets with clear cost/benefit relationships outlined; make sure your strategy is holistic (people, process, technology).
- Determine gaps between what you have in place today and your ideal state.
- Take a phased approach to addressing the gaps, but start today; prioritise according to impact on risk posture.
- Constantly re-evaluate threats and vulnerabilities to tune your strategy; have a response plan in place.
Alvin Yeo, Channel and Business Development Director, NTT Security, adds, "If we just focused on IT and technology today, it's a bit short-sighted. This is because when we look at cyber-attacks today, they transcend way beyond technology. Instead, a holistic approach looks at processes and people aspect as well. Also, if we just focus on technology solutions, that's just back office and there will be pressure to reduce that cost. Instead if we can talk about exactly what we need to protect and its relevance for the business, that's how we can drive change."
Alvin Yeo, Channel and Business Development Director, NTT Security
Given the nature of cyber-threats today and company inertia, the most effective way to enhance cybersecurity within an organisation is to take a high level, risk based approach that is linked to the priorities of a particular organisation. This does not necessarily require a major investment upfront, as many organisations are already operating with known vulnerabilities, which can be corrected by following simple best practices. By engaging with external solution providers, correcting existing vulnerabilities and taking a risk based approach, IT security decision makers will find themselves with greater momentum and leverage to enhance cybersecurity within their organisation.
Sign up for Computerworld eNewsletters.