Gerhard Swart | Chief Technology Officer | Performanta | mail me |
Prioritising cybersecurity through business risks delivers the highest value protection.
Cyberattacks have graduated from “possible” to “probable”, according to a major South African insurer. Businesses must act to reduce cyber risks, which many are doing by spending on new security services. However, this approach often becomes reactive, creating more problems and consuming larger chunks of IT budgets without truly making an organisation safer. But there are better ways to create lasting security resilience.
Cybersecurity’s arm’s race
Buying cybersecurity products is taking larger portions of IT budgets, conservatively growing from 8.6% in 2020 to 13.4% in 2024.
On average, the numbers are higher, and in some sectors, security can take up a quarter of IT budgets, and a majority of executives expect security budgets to grow by at least 6% in 2025, with some expecting 15% or more. Yet, cybercrime attacks are increasing in terms of successful breaches and how frequently companies are targeted.
After more than a decade of aggressive innovation and growth in cybersecurity, budgets should be stabilising. That’s not happening. A big reason is because criminals keep evolving their tactics, requiring companies to spend on improvements. But this isn’t the only factor.
Another issue with buying cybersecurity products is that companies are engaging in a competitive arms race with criminals. For every new tactic the criminals develop, the company adds a new security service. This approach is unsustainable, which is why frameworks like Continuous Threat Exposure Management (CTEM) are becoming more popular.
Stabilising security budgets
CTEM is a new approach where organisations proactively assess, scale and pool their security by focusing on their business risks.
First one starts with the biggest risks, such as your financial data. Where is it stored? What is the likely damage if that data was stolen or ransomed? Then one needs to zoom in on access to the data. How is the data accessed and used? Who has access?
Thereafter, one should start looking at specific threats. Is the data server secure? Is it integrated with other services, and are they secure? Are the people with access trained to spot cyberattacks on them, like phishing? Are the accounts with access safe? Do they use multi-factor authentication?
These questions can be routine for any security analysis and buying cybersecurity products. However, by anchoring them to major business risks, they enable organisations to overlap security resources much more effectively. This focus also creates feedback loops to improve knowledge of new threats, prudently scale security coverage and invest in continual improvements and resilience.
Anticipation creates better security
I compare continuous threat management to racing. Imagine a racing driver who is very reactive. When they run into obstacles, they slam the brakes, punch the accelerator, and grind the gears. That’s not efficient, and they likely won’t win the race.
Now, picture the driver who thinks ahead, who can anticipate what lies beyond the next curve, and has the experience to make the right decisions fast. They get through obstacles with more fuel in the tank and less wear on the car.
Most companies and their security partners drive their security badly. They are reactive, throwing whatever they can in the moment at a risk. The problem is that this only works up to a point. Each victory brings them closer to ruin: higher costs, flagging security, and the potential for a successful and devastating cyberattack.
Simply buying cybersecurity products won’t make your business safer. In the battle against cybercrime, it leads to the worst uses of people, resources, and budgets.
Continuous threat exposure management’s 5 steps
While business risks have influenced cybersecurity strategies, frameworks such as CTEM and the security providers that adopt them are putting those risks at the centre, providing an effective way out of crippling victories and towards long-term cyber resilience.
Gartner’s CTEM framework involves five steps:
-
Scoping
Identify your organisation’s vulnerabilities, including devices, apps, and less tangible elements like social media and supply chains. External threats and SaaS security are good starting points.
-
Discovery
Create a process to identify assets, associated vulnerabilities, misconfigurations and other risks. Prioritise accurate scoping based on business risk and potential impact.
-
Prioritisation
Prioritise security issues based on urgency, security impact, available controls, and risk tolerance. Focus on high-value assets and create a treatment plan addressing the most critical threats.
-
Validation
Verify if a vulnerability is exploitable, analyse all potential attack paths to the asset, and determine if the current response plan is fast and substantial enough to protect the business.
-
Mobilisation
Mobilise people and resources by communicating the plan to stakeholders. Streamline processes and document workflows, reducing obstacles to approvals, implementation processes or mitigation deployments.
