Newsletter & Blog

Cyber Security is a Business Problem

Now, whilst I’m not always enthusiastic about such reports, in this case Gartner make some very good points.  They suggest that the following key challenges are being encountered:


  • Cybersecurity spending growth is slowing, while boards are starting to push back and ask what they have achieved after years of heavy cybersecurity spend.
  • Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions.
  • Many current approaches to improve cybersecurity are falling short of providing appropriate and defensible levels of protection.


SMEs are invariably focused on cost, which means optimising their spend to ensure that they get the biggest bang for their buck, to coin a phrase.  However, time and again we see that they have spent, sometimes considerable, sums on technology without actually understanding what risks that technology is there to mitigate, therefore having no real idea if it is doing what they have been told its doing.  The amount of money they are spending is of course relative.  To a small business the sum invested might be a minor consideration to a much larger business.  So, it becomes crucial that the mitigations put in place are appropriate to the risks they are there to mitigate. 


Note the I use the term mitigate rather than prevent.  That’s simply because eradication of risk is simply not possible if you are going to continue to do business.  The best you are going to achieve is to mitigate that risk to the lowest level achievable without getting in the way of business.


Gartner have calculated the following challenges and impacts:




Societal perception of cybersecurity is that it is a technical problem, best handled by technical people.

Societal perception is dominated by fear, uncertainty and doubt. It results in poor engagement with executives, unproductive exchanges and unrealistic expectations. Ultimately, it leads to bad decisions and bad investments in cybersecurity.


Organizations are focused on the wrong questions about cybersecurity.

Unproductive questions are indicative of poor understanding, and drive attention away from an improved understanding and better investments.

Current investments and approaches designed to address known limitations are not productive.

Organizations are focused on new approaches that have great promise conceptually, but through a combination of failed execution and poorly set expectations, their investments are only delaying activities that will better improve cybersecurity.

Real failures are not getting enough attention to productively change behaviour.

Compliance with any regulation does not equal appropriate levels of protection.


Now, whilst some of these impacts may not be a 100% fit for many SMEs, particularly at the smaller end of the bracket, they are close enough to be taken very seriously indeed.  Poor decisions are being taken every day in regard to the purchase of hardware and software to protect against cyber threats, without having carried out any kind of risk assessment to actually understand what risks they are trying to mitigate.  End result, an investment in technology that on its own, will not prevent many of the cyber threats that abound today, coupled with a false sense of security.


A competent cyber security professional will approach the problem from the point of view of People, Process and Technology, understanding that many mitigations require a combination of 2 or 3 of those to provide an adequate response to the threat.  For many SMEs, one of the biggest and quickest wins they can achieve is cyber awareness training for their staff.  If their staff are aware of the issues, they have a much greater chance of recognising a scam, a phishing attack, an attempt at social engineering etc.  And oftentimes such things can be mitigated by sound policies and processes.  All of this prior to even considering spending money on technology.


However, the very first thing that should be considered is a risk assessment to actually identify the threats and vulnerabilities inherent in the business, thus enabling the risks to be identified and working out what mitigations are needed to drive the risks down to an acceptable level.  SMEs almost never do this and it’s a fundamental mistake.