Stop the cybersecurity fearmongering

After the infamous WannaCry ransomware attack caused havoc and disrupted the operations of businesses around the world, an interesting yet predictable thing happened. The share prices of cybersecurity companies soared – even the firm in charge of protecting the British National Health Service, the highest-profile entity to fall victim to WannaCry, saw a boom in its stock market value. On a smaller but noticeable scale, cybersecurity salespeople know that every headline reporting a well-known organisation being breached results in a detectable increase in sales.

Understandably, seeing large enterprises suffer the consequences of a cyberattack is a strong incentive for the C-suite to approve and even prioritise cybersecurity spending. However, leveraging fear to drive sales reflects a fundamental problem with how we think about IT security - as something that we bring in to curb our anxieties, rather than a positive investment made to add operational value.

Cybersecurity is not just an IT issue

One of the misconceptions that sit at the basis of the cultural shift that needs to happen in cybersecurity is the idea that securing an enterprise is all about a problem (cyberattacks) and a solution (a security tool that will stop attackers). This view is typical of the early, frontier-mentality days of security, when it was considered an IT problem, and when solutions were marketed as the magic bullet that would make the problem go away.

Identifying and protecting vulnerable systems and platforms is indeed an essential part of a successful security strategy, but solely focusing on technology as the solution to a problem is ultimately detrimental for organisations’ security stance. Instead, technology should be seen as just one of the components that make up a culture of ‘doing things securely’, a set of tools that are not there to prevent something bad from happening, but are part of a broader effort to make operations smoother and more secure.

Leveraging fear to drive sales reflects a fundamental problem with how we think about IT security - as something that we bring in to curb our anxieties, rather than a positive investment made to add operational value.

A shift in mindset

First and foremost, in the mind of the C-suite is the revenue-generating, seamless running of operations. This is one of the reasons why it was once hard to convey the importance of investing in cybersecurity, where the ROI is notoriously hard to quantify. Some tried to do it by attempting to quantify the monetary losses of companies that suffered a breach, which certainly made for a compelling case, but fell into the category of the scare-tactics cybersecurity should be moving away from.

The essentiality of security within an organisation is now almost universally accepted. There is no need to present the worst-case scenario to make the case for adopting an email filtering system, an antivirus, or an EDR. Therefore, the next step to optimising security functions is to look at how the money invested in security tools can be translated into streamlined, optimised security processes that effectively integrate with all other business operations and cross-organisational boundaries. The question that should be asked is “what can better security do for my business,” rather than “what do I need to do to avoid a security incident.”

What can security do for your business?

Increased revenue

One of the benefits of thinking about security as added value is that it can actually increase revenue in two significant ways.

Firstly, an organisation that takes security seriously and has it built into its operations is an organisation that inspires trust in its customers. Given the wealth of information that customers are required to share, a particular attention to privacy and security compliance can be a strong selling point.

Secondly, security done right can save time and money. Tools are costly, and the human resources and skills needed to operate them effectively are often underestimated. With this in mind, security tools should be seen as a chance to optimise operations across departments, making the job of IT security professionals easier and eliminating hindrances for employees in other departments.

The wrong identity access management system can significantly slow down employees’ day-to-day activities. Equally, a network detection and response system that simply stacks logs in a data lake can result in security professionals taking much longer to investigate potential threats, stretching out response times. So, while it’s true that security tools are there to solve a problem, thinking about them as something that can add value to the business is a better way to make an investment that doesn’t just tick a box. Cybersecurity technologies should be in place to optimise and complement operations, rather than adding a barrier.

Solidify your business strategy

A few years ago, the buzz phrase that everyone was hearing everywhere at IT Security trade shows was “shifting left.” The concept referred to the necessity to move security testing to the early stages of software development. By doing this, security issues are detected earlier in the process, making it easier to fix them and eliminating the costs of having to remediate them later on. Shifting left makes sense also from a regulatory standpoint, as it allows for more time to tick all the compliance boxes and reduce the likelihood of unpleasant surprises along the line.

Applying the same “shifting left” model to the development of a business strategy has the same advantages. Including security when accounting for business risk and mapping it into business outcomes makes it easier to develop action plans and execute them across the board.

In the long term, this will translate into a culture of making decisions factoring in the company’s cybersecurity risk exposure, thus ensuring that security doesn’t become a more costly afterthought. Considering security from the start allows for greater scalability of operations and to develop projects that are more risk resilient.

Cybersecurity should become your clients’ own selling point

The cultural shift of security becoming an added value should be reflected in the way salespeople approach prospects.

Fear mongering might work for obvious reasons, but it is much more important to build a dialogue with potential clients to understand where a security solution can help their operations. This helps security vendors too, allowing them to tailor their offerings to the specific needs of their target base.

Ultimately, it is much more rewarding to walk away with a purchase that will make life easier, more productive, and more profitable than with a product we were made to feel was the only way to avoid a catastrophe. In an industry laden with doom-mongering, choosing hope just might be the change we need.