Urgent, Important or Both: Setting Priorities in IT Security

The fight against cyber threats is often described as an arms race. One side finds new attack vectors, the other side responds with new defense strategies. However, this suggests a greater sense of equilibrium than is actually the case. In fact, the sheer number of attacks is increasing faster than they can be stopped. A current report published by the Federal Authority for Information Security (BSI) in Germany at the end of September underlines this trend. The absolute numbers of threats and attacks have continued to rise in all areas. Although ransomware has largely disappeared from the media, it is still causing serious damage. Detection is becoming more and more difficult and companies are resorting to external backups to limit damage. This grave situation begs the question: who is going to deal with these increased threats? The Cybersecurity Workforce Study 2018 by (ISC) 2 states that there is a global gap of 2.93 million cybersecurity experts in the labor market. As many as 59% of cybersecurity employees surveyed believe that this shortage is either extreme or moderate for their organization.

Not every organization has the resources to address all attack vectors equally. Even if the budget and the workforce were unlimited, it still makes sense to prioritize. The 80/20 rule ensures rapid and effective success in the area of information security when resources are limited. One way to concentrate your resources on the right 80% is being aware of the risks facing your company. The US Department of Homeland Security recently issued a new policy to prioritize cybersecurity risks . It addresses converging digital, physical and personal threats and proposes prioritizing risks by potential damage. This is not really a new approach. Still, in many organizations, security is still not implemented according to needs, probability of occurrence and impact. This is where technology reigns, namely that of the manufacturer who has the best sales staff.

It is more tedious but also more sensible to think about the most valuable data and business processes from the start. If these are compromised, the existence of the company is at risk. Even this exercise will trigger controversial discussions within an organization, as naturally many process owners will prioritize their own activities as the most important. But in the end, businesses will focus on processes which bring in the money. Issues such as compliance and corporate governance may seem to be very important and have major implications for information security, but they are rarely core issues. Whether compliance is established a week earlier or later usually has no financial consequences. The situation is much more serious if an online retailer is taken offline for a week due to a ransomware attack. Process-oriented topics such as compliance can be simplified by classifying assets and data from the start.

Cyber risks must be assessed and prioritzed in a broader context, linked to critical business objectives, and evaluated against a realistic threat and resource analysis. Management support is essential and must be clearly communicated at all levels. When you're done with that, you should already be thinking about the next risk assessment. Business conditions are changing, attack vectors are evolving and new legislation may also shift the focus.