A massively common analogy I see in security is the idea that security is like paying for insurance incase something goes wrong. I think this is great if you have 3 seconds only to describe security, but that’s not really how I have conversations with people. A sound bite isn’t reality, and to be honest I personally find that rather meaningless. I also know that many people don’t like or even pay for a range of insurance so when we look at how we try and improve digital security from a whole of society perspective, I think this phrase doesn’t work, it’s too narrow…

Investments in Cyber Defences to me are an investment in:

• Quality
• Safety
• Efficiency
• Business Inteligence
• Business Enablement
• Risk Prevention
• Business Resilience
• Future Proofing
• Brand
• Customers

and

• Security ‘Insurance’

Value Perception

Another area I think people struggle with is when they view security as a silo, a team/department etc. And sure in an organisation you may have dedicated security departments/teams etc. but in many organisations this isn’t the case.

The business security investments that are made can be by improving training in the development team, or enhancing the release (and testing) process to include security testing and remediation.

Security touches every part of a systems lifecycle, from inception to operation. Inside every transaction there is a security view, but it’s also to realise security is not the only viewpoint. Typically we look at ‘systems’ from a business perspective we might consider:

• Experience
• Administration and Operations
• Legal
• Performance
• Capacity
• Availability
• Quality
• Risk
• Opportunity

When we look at a defence spending in countries for example they might spend say 2.5% of GDP, when we look at organisations, I struggle to find organisations that spend even 1% of revenue dedicated to digital security.

We keep seeing constant incidents, from ransomware, business email compromise and data breaches (typically from open directories etc.) and we keep seeing that organisations are seemingly not investing sufficiently to protect, detect and respond to cyber threats in a meaningful manner. That’s not universal, but I would say it’s about 80-90% of organisations do not sufficiently invest. Until we manage to change the financials, we will keep being on the back foot when it comes to cyber crime in the business world.