Verification: Boring but Vital!

8th of November 2018

Opinion by Kim Aarenstrup, Executive Advisor

How does top management ensure that it is sufficiently protected against cyber risk?

First of all, you obviously have to make the right investments in the right areas – and follow up with transparency and insight.

This is, however, not always as easy as it sounds, as there are many dilemmas involved, which often form obstacles for real improvement. One of the major obstacles is that IT security often loses the battle for funding to the IT department, and intuitively for good reasons (such as, for example customer experience). 
So, the only way that top management can ensure a healthy balance is to allocate a certain percentage of the IT budget to focus solely on digital security investments. Typically, this number is between 3-10 percent, depending on the size of your IT budget.

The question remains, however, whether this approach is sufficient? It certainly allows the investments to be allocated to security, but how can the executive level be certain that the security investments actually work as intended and bring real value to their organisation?

It is crucial to ask yourself: is it not equally important to verify whether the security solutions that we have invested in actually work as intended? Security solutions, just like IT solutions, have to be tested thoroughly to ensure that they are bringing you the value that you were expecting when you made the investment. We see many organisations simply assume that the solution works when invested in – which is understandable, as your security solutions might not be as visible on your daily “business radar” as other IT investments. Whether this is the case or not, you have to verify whether they work as intended before someone else does it for you.

Questions that you might need to ask yourself about your security solutions could be:

  • Do they block or detect threats as they were expected to?
  • Do they report correctly and without too many false positives?
  • Do the processes associated with them work as intended, and do the right people react and respond correctly and according to your procedures?
  • Are they updated correctly and in a timely manner?

There are many aspects to consider when managing cyber risk, but, as any project or venture, it all starts with the funding. And as far as funding goes, one of my most important recommendations is always: do not forget to allocate a percentage of your security budget for verification.