2020 was a cyber security wake up call for a lot of organisations. Attempting to provide secure remote access and device flexibility quickly exposed the flaws with legacy and on-premises security systems. Moreover, the importance of cyber security to change management highlighted the commercial relevance of effective cyber security maturity.
At Six Degrees, we fully understand the critical role cyber security plays in delivering effective business outcomes. More flexible and robust security measures are needed to adapt sustainably in 2021. Businesses that respond first will set trends and define best practices in the future economy.
As organisations adjust to the challenges of BYOD, remote working and the ever-evolving cyber landscape, working with service providers has become an increasingly important factor in delivering effective outcomes. Of course, the cyber security skills shortage is part of this, but so is the general need for expertise.
In this blog, we’re going to explain how we advise our clients to approach their cyber security strategy — and we hope it will help you plan more effectively for the future, as well as determine how we might fit into your operation.
Are you ready for the future of cyber security? Let’s find out.
Pillar 1: Cyber security is a journey, not a destination
By its very nature, cyber security is ongoing and iterative. There is no single destination or point at which your business will become 100% secure.
The cyber security landscape is always evolving — new threats, actors, and risks arise constantly. To navigate this uncertain terrain, organisations must have a flexible, agile, and equally living strategy in place. Laying a solid foundation for this strategy means building a repeatable cyber security process. We’ve captured this idea within a five-stage cyber journey, as illustrated below:
The circular nature of the cyber journey means that by selecting your most significant blind spot, you will naturally work your way through all of the key questions that must be answered to develop a robust set of actions.
Remember your risk appetite
As you prepare to embark on your cyber journey and develop this set of actions, it’s essential to understand your risk appetite. This is, as it sounds, the level of risk your organisation is willing to accept. The best way to think about this is to begin weighing up risk vs cost. For instance, you might weigh:
- The cost of cyber security vs the cost of a breach
- The risk of a breach vs the opportunity cost of not taking an action
No cyber security system can be 100% secure. But by deciding which risks are acceptable and which are not, you can effectively gauge your cyber security priorities and make targeted investments that will deliver the most impactful outcomes at the lowest cost. Of course, it’s also vital to consider your business priorities. After all, cyber security is there to enable your business outcomes, and your strategy should reflect this.
Pillar 2: Cyber security is an opportunity, not a cost
Cyber security comes with a price, and many organisations find it challenging to benchmark what their cyber investments actually deliver. However, it’s important to remember that a robust security strategy is an enabler of commercially-focused outcomes. This is why cyber security should be viewed as an investment opportunity — and one that can deliver measurable ROI.
For example, a new self-service customer support portal will require investments to make sure that data can be shared securely, and then safely stored within your system. However, the delivery of such a system will provide significant cost savings to your business, and potentially be a competitive differentiator within your market. If the necessary security investments cost £3 million over the next five years, that number looks a lot smaller when put next to £5 million in cost savings and £15 million in growth over the same period of time.
By looking at the opportunities created by cyber security, you ensure that you remain focused on projects that will actually benefit your business. Again, this comes back to aligning your appetite for risk with your business priorities. But an opportunity-orientated mindset is also critical for gaining the organisational support and funding needed to execute your strategy.
Getting the Board on-board
In our experience, organisational buy-in is central to orientating your business around cyber and effectively executing the cyber journey. Without support from the Board, your organisation is at an increased risk of a data breach — and you’ll also suffer from missed opportunities to adopt digital strategies and improve business outcomes.
Remember: cyber is not just about technology — it’s about people and processes. That’s why buy-in is all about communication. Ultimately, how you frame cyber security has a significant impact on how cyber security is perceived within your organisation and how effective your security system will be. Staying focused on the opportunities created by cyber is critical to effective communication.
Suggested reading: For more advice on approaching the Board about cyber opportunities, check out our free resource — Board Presentation Toolkit: Cyber Security and Threat Management.
Pillar 3: Flexibility doesn’t have to come at the cost of security
At Six Degrees, we are always pushing the importance of flexibility, and flexibility should (and can) go hand-in-hand with security. As discussed, the cyber journey is iterative, and the risk landscape is always evolving. This makes flexibility non-negotiable.
Flexibility is one of several reasons that working with a managed service provider is an important aspect of any complete cyber security strategy. Access to on-demand skills, scalable resources, and leading-edge technology delivered by a strategic partner all make it far simpler to respond to change. It can also help you overcome the cyber security skills shortage.
MDR and endpoint securing
The type of cyber security you deploy can also have a large impact on the flexibility and security of your system. This is one reason that we’ve become advocates of the MDR and endpoint double-sided approach — particularly in the face of the increased cyber threat that comes with remote working.
- Endpoint security: Endpoint security is an approach to cyber defence that focuses on end-user devices, but seeks to protect the system as a whole by controlling the flow of information to and from those devices. It centralises security and control while decentralising risk, and is an increasingly popular approach to cyber security that enables simple remote working and BYOD accommodation.
- Managed detection and response (MDR): What is MDR? MDR provides active monitoring and incident response capabilities. It’s an outsource active response team that allows you to prevent an incident from turning into a breach, without having to keep all of the resources required to do so on your payroll at all times.
Suggested reading: To learn more about endpoint and MDR, check out our ebook — Planning for the Future of Cyber Security Today.
Individually, both of these cyber tools are useful security measures. However, together, they create an outcome that is more valuable than the sum of their parts. Endpoint systems are great at delaying a breach by trapping threats and generating an alert. However, it’s then critical to respond, mitigate the threat, and prevent a wider breach — where MDR comes into play.
Together, MDR and endpoint create a far more flexible system (able to accommodate both remote access and BYOD) while improving overall security outcomes. This flexibility leads to a more effective and secure outcome, both in terms of the cyber strategy and a business’s broader priorities. It’s also an example of how you can do more with less, bringing us on to pillar number four.
Pillar 4: It’s possible to do more with less
Effective cyber security isn’t about spending as much as possible, or investing in every tool on the market. It’s about aligning your specific business priorities with effective solutions that enable flexible delivery of key business goals.
In our view, doing more with less means your organisation benefits from:
- Stronger security
- Less technology to manage and less operational oversight
- Lower costs
- Reduced risk
- More visibility and agility to respond to threats
Creating strategic partnerships
Fundamentally, doing more with less is another reason that partnering with security experts should form at least part of your cyber security strategy. Managed security service providers (MSSPs) live and breath cyber. That means we have access to economies of scale that enable the delivery of resources more cost effectively — all while removing the burden on internal resources.
The right cyber security partner will enable you to pay for the skills you need, only when you need them. At Six Degrees, we build upon the principle of ‘doing more with less’ and focus on supporting our clients’ cyber security and compliance services by offering:
- Consulting, helping businesses create smart, robust cyber strategies.
- Pen testing as-a-service, ensuring that systems actually are secure.
- Fully managed solutions, including incident response teams, managed detection and response (MDR), and a range of other cyber security services
But remember, doing more with less is also about the interactive process of the cyber journey and investing in the right things. This means focusing on your organisation’s specific needs and desired outcomes by weighing risks and aligning your strategy with your top business priorities.
It all starts with an assessment
Preparing for the future starts now. This means that laying the most sustainable foundation for the coming decade requires understanding the risks and vulnerabilities your organisation faces today.
To achieve this, you also need to understand your priorities, risk appetite and where you sit within the cyber journey. This starts with a cyber security risk assessment. A risk assessment is a critical tool for planning and communication, as it compiles cyber’s problems, solutions and opportunities into a single document.
Ready to take the next big step in your cyber journey? Get in touch — Six Degrees can help.
Subscribe to the newsletter today
2008 legislation that requires all UK public sector