security-matters-sept21

Read more online at www.securitymattersmagazine.com Cyber Security Procurement Feature CISOs are now looking ahead to their buying decisions for the next 12 months and budgeting accordingly for further investment in key areas. Unsurprisingly, perhaps, more than half of the respondents to our study state that they’ll be adopting a ‘cloud-first’ approach when it comes to new technology. This means that any future purchasing decision must only consider solutions readily available in the cloud. Such an approach will deliver far greater flexibility in the ‘new normal’. In times hence, it’s likely that employees will be required to work from wherever they’re able to do so. Indeed, many organisations are now viewing the remote working model as a permanent option for specific emplo yees. Undoubtedly, the businesses that adapted most effectively to remote working were those that had cloud solutions in place in tandem with privilege-centred access management. This meant that network access was already being controlled at a granular level whether required remotely or on the premises. The end result? A continuity of service and security when workers had to relocate. Quest for compliance When looking at where to invest their security budgets, CISOs are well aware that protecting the business from severe regulatory penalties is going to be key. In fact, more than four out of every ten respondents to our survey were reluctant to invest in any security measures that didn’t aid regulatory compliance in some way. This is of little surprise, to be honest, as the punishment for failing to adhere to regulatory obligations often exceeds the impact of any data breach. Since its introduction, the General Data Protection Regulation has seen many companies suffering from data breach episodes being handed down crippling fines for proven non-compliance. In October last year, for example, the Information Commissioner’s Office fined British Airways the substantial sum of £20 million for failing to protect the personal and financial details of more than 400,000 of its customers. Even if there isn’t a data breach involved, businesses working in regulated industries such as finance can be severely impacted by failing a security audit. More than one third of CISOs view the ramifications from such audits and regulatory non-compliance as the main consideration when deciding where to invest their security budgets. On that basis, they’re more likely to look for solutions that address actual audit requirements rather than those marketing themselves as being based on defence against threats with a grounding in fear, uncertainty and doubt. All that said, compliance alone doesn’t mean that a business is secure. ‘Tick-box’ compliance is often just a snapshot of how well a network’s performing against minimum requirements at a particular moment in time. As today’s threat landscape is constantly evolving, businesses must ensure that they’re continually secure. Ultimately, this involves going beyond the requirements of regulation and monitoring the network in real-time. Information gathering Investing in a cyber security solution is one of the most significant decisions a CISO can make. Based on their recommendation to the Board, any solution chosen should actively mitigate risk, have its capabilities used to their fullest effect and demonstrate a reasonable return on investment. Before investing in any such solution, CISOs need to gather the best information possible such that they can then make the most informed decision. One of the greatest sources of information upon which CISOs rely in order to decide which solution to select is each other. CISOs harbour a wealth of experience and knowledge about cyber security solutions. This is gathered not only by having hands-on familiarity with technologies, but also from industry connections, attending conferences, reading journals and even researching their own buying choices. Recommendations from those who’ve already used a technology are invaluable when looking to gain a fresh perspective on whether or not a given solution would be deemed ‘a good fit’. Our research shows that a recommendation from peers clearly influences the types of solutions firms end up purchasing. A majority invest in solutions that adhere to industry Best Practice and encompass tried-and-tested technology (which is a more likely outcome when listening to peer recommendations, in fact). A significant number of organisations are less risk averse when it comes to new solutions. Our study highlights that around one-in-three respondents said they embrace new technology advancements and want to remain informed of the latest security trends. These trends are often well covered with When looking at where to invest their security budgets, CISOs are well aware that protecting the business from severe regulatory penalties is going to be key 33 /www.securitymattersmagazine.com /www.securitymattersmagazine.com