igor - Fotolia

Many firms in the dark on cyber security investment

UK businesses need to adopt a risk-based approach to cyber security spending to ensure the best ROI and most appropriate data protection, says industry expert Michael Dieroff.

Many UK organisations are still in the dark about how to approach spending on information security technologies, according to an industry expert.

“Experience has shown that few organisations know how to go about allocating their information security budget,” said Michael Dieroff, managing director at training and consulting firm Blue Screen IT.

“There are only a few key things that need to be considered, otherwise it is likely that organisations are going to be spending on some things for nothing,” he told Computer Weekly.

“It is essentially about knowing how a security budget is derived and that it is being spent intelligently.”

A recent study by Thales E-security shows that cyber breaches are increasing despite increased security spending, underlining that security investment decisions are not aligned with actual cyber threats.

Dieroff believes that by having an ethos of following a group of principles, organisations can ensure the effective and relevant use of the IT security budget, and possibly reduce spending by buying only what they need.

“If an organisation uses only an ISO certification as a guide for implementing a set of security controls, they run the risk of investing in controls that they are never going to need because they may not be relevant to that particular organisation’s business processes in any way,” he said.

Dieroff has worked with some of the world’s leading private and public organisations, as well as many small and medium-sized enterprises (SMEs) to assist in their development and understanding of how to strengthen their cyber security strategy and implementation.

“By looking at the actual risk they have and the threats they are facing, by considering the legislation and regulations they have to comply with, and using security operations analytics, organisations can derive quantified statistics to shape and support the security budget,” he said.

Read more about security spending

According to Dieroff, security analytics are a valuable source of information about which threat actors are targeting an organisation, what they are targeting and how.

“That data is quantified, and immediately gives you something to say that is an actual value that can be assigned based on a quantified figure, which then makes a realistic spend directed at protecting against actual threats associated with a high risk.

“Even the simple logs in the network can give a quantifiable number to evidence the need for every security control,” he said.

Spending based on actual risk

A risk-based approach means organisations can spend less protecting against threats to which they have a low exposure because they know the risk is low.

“The outcome is that you don’t spend as much on something that you don’t need to, and that spending is based on actual risk, contractual obligation, and regulatory or legislative requirement rather than simply following the latest security spending trend,” said Dieroff.

Dieroff is to discuss the topic of security budgets and spending at Cybercon on 23 February 2017 in Plymouth, which is at the centre of the south-west information security industry and community.

Blue Screen IT is the driving force behind the conference, which aims to cut through the “white noise” surrounding cyber security by enabling businesses of all sizes and industry sectors to communicate with international security specialists.

Cybercon, which has the support of the National Crime Agency (NCA) will feature a “Cyber Surgery” to give delegates one-on-one access to cyber security experts on specific issues, and a “HackShack” to demonstrate some of the methods hackers use to attack organisations and the motives behind them.

Improving cyber security standards across the world

By raising awareness and promoting global collaboration and information sharing between information security professionals, the invite-only event aims to improve the cyber security standards not only in the south-west of England, but across the UK and the world.

Any senior information technology and security professionals interested in attending Cybercon can apply for an invitation through the event website before 23 February 2017. 

“One of the biggest problems we are seeing is that all the cyber criminals are working as a team to create malware super code, and so now cyber defenders have to start doing the same,” said Dieroff.

“Through Cybercon, we are aiming to give strategic decision makers and senior information systems people access to the information, experience and contacts they need.

“We are looking to attract serious people with serious interests, and create a spark among decision makers so they will set the tone to enable their organisations to establish successful information security policies and procedures,” he said.

Read more on Hackers and cybercrime prevention