Everyone wants good value for money- cyber security departments are no exception to this. With a limited budget and a growing number of cyber threats lurking out there, how do you work out what will generate the most value per £ spent?
Out of the 100 FTSE listed companies, 89 regard cyber security as a principal risk which can be addressed by a boost in spending on security. However, it is difficult to know how much money is the ‘right’ amount to address the level of cyber risk and where it should be spent first.
The NHS as an example
As the largest employer of people in the UK, the NHS is a massively complex, slow moving and vital organisation that has faced criticism for not investing enough money in cyber protective measures.
In the wake of the 2017 WannaCry incident, the NHS spent £60m in addressing immediate gaps in cyber security including upgrades to infrastructure and providing trusts with the ability to detect threats on their networks. A further £150m has been announced over the next three years to enhance cyber resilience but, the National Cyber Security Centre (NCSC) recommend the NHS should spend £800m-£1bn over the same time frame to address cyber risks adequately. Clearly, if the NHS did this there would be a substantial impact to the amount of beds, nurses and medical equipment they could buy to keep up with the burgeoning demand. So, how should the NHS decide where to spend their limited budget?
The approach
Don’t panic buy
The first thing the NHS should do is not panic buy new tools and technologies that will likely end up delivering little value. Senior management can often feel pressured into making quick decisions, so customers, shareholders and regulators are assured improvements are taking place. In reality, what’s likely to be happening is valuable money is being squandered to make it look as though ‘security is happening’.
Avoid the big bang approach
To derive maximum value for money, they should prioritise areas of risk and go after them first before blowing the budget on costly vendors .
A risk-based approach to spending the limited budget strategically will focus investments on business-critical systems and processes first. For the NHS, this may look like ranking their Trusts according to a business impact index whilst carrying out cyber risk assessments.
Conduct Business Impact Assessments
Business Impact assessments at a Trust level will be the first stage in identifying large chunks of the organisation to focus on first. But, assessments should not stop there. Conducting business impact assessments at an asset (system/application/hardware) level will help weed out the most important ones, shifting focus toward a select group of assets which are core to the Trust’s business operations.
The NHS would end up with an ordered list of their most critical assets within their top priority trusts- a very powerful piece of information.
Conduct Cyber Risk Assessments on priority assets
Conducting cyber risk assessments on the most critical assets within the top priority Trusts would be the next step. A typical risk assessment would include a review of policies, a traditional gap analysis of controls against a standard (e.g. NIST, ISO, NCSC Cyber Essentials +), identification of technical vulnerabilities, identification of threats, the development of risk scenarios and finally a numerical calculation of risk based off the information learned in the previous steps.
Putting it all together
By following this methodical approach, the NHS would end up with a list of issues to fix driven by a combination of risk and strategic priority (insight gained through business impact assessments). The issues would be broken down into manageable tasks which comes with numerous benefits:
-
Easier to price the fix
-
Easier to calculate the number of FTEs required for the fix
-
Easier to point at tangible benefits which can be linked back to the NHS’ objectives and vision.
Don’t stop
Organisations are beginning to wake up to the fact that launching a multi-year cyber transformation programme is not going to make the cyber risk go away. Indeed, cyber security is here to stay. Therefore, the NHS should conduct assessments on an on-going basis to ensure they are constantly focused on what truly matters to their operations and that funding flows to the right places to address their biggest cyber risks.
Originally published at https://www.linkedin.com.