By: Martin Hoz
Are you an executive within a medium or large organization? Have you recently been approached about investments in cybersecurity but feel that maybe your company is not big enough or does not have the internal systems to support cybersecurity? If so, this article might interest you.
Organizations must approach cybersecurity decisions with the right mindset. Too often, sales pitches, or even pressures from above, are driven by motivations that are not in the organization’s best interest. This article looks at these motivations and the pitfalls they can represent.
Pressure from all sides
Organizations get pressure from all sides when it comes to cybersecurity investments. The rising risk of cyberattacks is widely covered in business and mainstream media, while traditional Information Technology companies expand their cybersecurity capabilities on offer through investment or acquisition. Many startups focused on cybersecurity have emerged, and conferences like RSA Conference, BlackHat, and DEFCON continue to attract record crowds.
From the demand side, The World Economic Forum’s Global Risks Report consistently includes cybersecurity on its priorities list, which often translates to budget line items. This increased attention on cybersecurity should come as no surprise. Digital transformation and remote work have sped up the adoption of new technologies, increasing vulnerability as the attack surface expands. It is a perfect storm that brings us to the first “motivation” – fear.
Conquering fear
Not a day goes by where the news doesn’t cover a sizable data breach or crippling cyberattack, often accompanied by statistics that demonstrate the rising risk and cost they incur. While headlines like these provide context and help raise awareness of the importance of investing in cybersecurity technology, talent and processes, they should not guide an organization’s security strategy. And neither should strong arm-sales tactics that trade on fear.
Cybersecurity decisions should be based on business objectives. They should consider the organization’s industry, risk tolerance, regulatory frameworks, and other factors. Approaches to cybersecurity investments must be planned and organized, not driven by a visceral reaction to a perceived threat. Learn to identify vendors that sell fear instead of value; they tend to point out the mistakes of others instead of focusing on their strengths.
Compliance
Compliance will likely play a role in cybersecurity investment decisions. Some jurisdictions or industries require infrastructure reliability guarantees or adherence to standards designed to protect personal data and privacy. Organizations run into challenges when they let the scope of their cybersecurity investments only cover what is needed to comply with a particular standard. This can often create a false sense of security.
Organizations must consider all business-critical elements and vulnerabilities regardless of the scope of the standard or regulation being implemented. At the same time, investments in compliance technologies often unlock functionalities that improve the organization’s security posture. If compliance is the organization’s only focus, you may miss out on additional value-adds.
Technology trendsÂ
Digital transformation is accelerating, driven by new technologies and “work-from-anywhere” models. Every time there is a change in how we consume technology, there is a new set of offerings to address that change.
Whether a move to the cloud, Artificial Intelligence (AI), Machine Learning (ML) or Secure Access Service Edge (SASE), these trends rarely require companies to migrate their entire organization to align with them.
Don’t get me wrong. Recent technologies and innovations are worth analyzing and exploring. It is worth looking at the cost of acquisition and migration as well as maintenance and operations to understand the full cost of ownership. However, organizations should not be pressured to invest without thoroughly reviewing the use cases and alignment with the organization’s existing technology stack and business priorities.
Your organization must invest in cybersecurity solutions, but you approach the decision for the right reasons. The security of your business should not be decided by fear, singular compliance requirements, or even the latest technology trends. In today’s digital society, a strong cybersecurity stance is critical – and all decisions about the technology, tools, and processes your organization requires should be weighed accordingly. By approaching cybersecurity investments with this mindset, you can avoid common pitfalls and come out ahead.
 Martin Hoz is Senior Regional VP Pre-Sales Expert, Canada and Latin America at Fortinet
