By Sarah K. White
Nov. 29, 2016
Not every business can create an unlimited security budget, like Bank of America did, but businesses are letting a lack of visible ROI and cost get in the way of protecting company assets. Board members must aggressively weigh the pros and cons of any initiatives the company decides to take on, and oftentimes that leaves IT settling for a solution that wasn't the first choice but is more affordable, says Erica St-Pierre, Managing Director of the Information Technology division at The Execu|Search Group.
"In many instances, CIOs or other executives know exactly what product or solution would be the best fit for their company, but they cannot afford it. Companies have to make tough budgeting choices about existing programs and the overall allocation of funds in order to give cybersecurity initiatives the attention they know they deserve," she says.
A shifting focus
Cybersecurity is growing increasingly complex. At one time, it was mostly about protecting data. And security threats were, more than anything, a publicity nightmare, says DesJardins. But the scope of cybersecurity has since grown from a focus on data "confidentiality and integrity" to include newer threats regarding "availability," in the form of DDoS attacks and website downtime. He says that, a result, CIOs and CISOs are often forced to make concessions, facing the reality that no matter the size of the security budget, they can never fully guarantee complete security.
Not only are threats more complex, they're also more dynamic, says DesJardins. It's difficult for businesses to stay up to date on every cybersecurity threat, so IT will often turn to third-party resources to help manage the massive undertaking of cybersecurity, which helps alleviate the burden on IT, but also means some security measures are out of their hands.
"The dynamic and changing nature of the threat landscape is evident. But, at the same time, those changes are ongoing, so too are changes to the way companies build and deploy applications. More and more IT assets -- and associated vulnerabilities -- are outside of the IT and security team's direct control. This makes the implementation and management of effective security processes and operations very difficult," he says.
For IT, cybersecurity can seem like an uphill battle of trying to land the appropriate budgets, balance cost with quality products and creating a scalable approach that will remain flexible with evolving technology. Dimitriadis instructs IT leaders in this position to present cybersecurity initiatives to wary executives as a necessity for competing in the industry, a way to build trust with customers and to link security with imperative business measures in the organization.