Make sure you don’t forget these critical elements

The tactics and tools used by cybercriminals are evolving, and your security strategy simply has to evolve faster if you want to catch up. If you don’t take the necessary precautions to proactively protect your business, you’re exposed to loss of revenues, data breaches, and potential liabilities. Even though companies are spending billions on cybersecurity every year, cybercrime still pays well with damage costs projected to hit $ 6 trillion in 2021. It’s no longer about whether or not your website security will be compromised, but only a matter of when, with what type of attack, and the extent of damage caused to your business. 

So, how can you stay ahead of the game? What methodology or strategy should you adopt to secure your business and its users in 2020? What should you take into consideration before you plan the budget to fuel that strategy? What are some of the critical elements that you shouldn’t neglect? And how can you successfully pitch it to the C-suite?

To help you plan your cybersecurity strategy for 2020 and ensure sufficient funds are allocated to execute it, we’ve devised a straightforward three-step process: Define, Research, Allocate.

Step 1: Define your desired cybersecurity framework

Defining your cybersecurity framework is the foundation for your plan and budget. Before you can explore what it is you lack, it’s important to have a clear image of what you have and what you need. 

Internal analysis

We believe that cybersecurity needs to be planned and executed from the inside out. In our experience, the best approach is to start with a thorough overview of high-level strategic organizational goals, and identify where cybersecurity fits in and supports them. This means in-depth analysis of up-to-date business processes, evaluation of existing IT infrastructure and systems, regulatory demands and any relevant changes that took place in the organization since the previous cybersecurity budget plan.

One of the most important assets of every business is its website, and securing it is critical. Websites, especially those that interact with customer data or connect to internal systems through web apps, are a popular target for multiple attack vectors. Especially common are attacks that exploit vulnerabilities in JavaScript libraries and formjacking attacks, with Symantec reporting nearly 5,000 formjacking incidents each month in 2018.

Threat assessment

Now that you know where you stand, it’s time to evaluate current and future threats. Generally speaking, threats can be divided into three categories: external (attacks from outside the organization), internal (from within the company) and attacks on supply chain vendors (third parties).

The third category of threats (website supply chain attacks) is commonly neglected, even though these attack vectors are very common (who doesn’t use third party tools on their website?) and the implications of a breach can be devastating. Just last month, PCI Security Standards Council (PCI SSC) and the Retail and Hospitality ISAC joined forces to highlight this growing threat. So make sure you don’t overlook them when planning your budget.

Security capability evaluation

Another crucial element in this step is the estimation of the current level of your security capabilities. Obviously, they are not unlimited. The main question to ask now is “how equipped is the organization to meet its strategic goals?”

One of the best methodologies you can use at this point is the Gap Analysis methodology. You can use it to map out your journey and review your current state of cybersecurity against the desired state. With such a map in hand, you’ll have an easier time navigating towards a framework to steer you toward the desired state without compromise, regardless of how long it may take to get there.

Step 2: Research the best cybersecurity tools & partners

To reach the desired state defined in step one, you’ll need the tools and partners that best fit the structure of your framework, those that can bridge the gap between what you have and what you want there to be. Where and how do you start looking?

Gather your people

Cybersecurity does not exist in a vacuum. It is not a discrete, standalone layer. This is why it’s important to recruit executives and decision-makers in the organization, to collaborate and cover all aspects of your cybersecurity framework. 

For example, collaborating with the CMO is a critical step towards getting to know the third-party tools and components that are or will be implemented in your website. This is necessary for choosing the right security solution (or solutions) to protect your company, your website and your data from supply chain attacks and potential breaches. 

Collaborating with customer support can provide valuable insights into customer behavior that can impact your cybersecurity operations, and are worth considering. 

And, of course, with CCPA and GDPR regulations demanding strong cybersecurity measures in place, don’t forget the legal department.

Research with questions

Now that you understand where you stand and have the relevant people involved, it’s time to delve deep into research on every aspect of your cybersecurity framework. The best way to do this is by using a list of important questions to ask. 

For example, it’s important to know if the solution you choose prevents one specific threat, or if it will grow and expand in the future to protect against new threats as they emerge? Another critical question is how the solution will impact your users’ experience and the cost/benefit considerations of its integration.

When you reach the point where you begin to evaluate website security solutions, you might want to refer to our list of six questions you have to ask when selecting a website security solution.

Step 3: Allocate & approve the budget

Now it’s time to pour numbers into your framework. But what should those numbers be? 

How much is enough

Given how rapidly the cybersecurity landscape is changing and the high stakes involved, especially in the era of GDPR and CCPA, most C-Level executives are no longer asking “Are we spending enough on cybersecurity?” Instead, they ask “How much is enough?” and unfortunately, there’s no one-size-fits-all answer. The estimations of “average” annual spend on cybersecurity vary significantly between sources and greatly depend on the risk appetite of every organization, according to its unique needs and business processes.

ROI & the bottom line

Businesses, and more specifically, executives, are all about return on investment. So now it is time to see how your cybersecurity plan for 2020 increases ROI and has a positive impact on the bottom line.

This is the time to check ROI on prior investments and decide if it makes sense to keep them. Eliminating unnecessary expenses and removing outdated tools and services will give you a head start by (potentially) starting with a lower budget you can add to later on.

Now you can start adding the new tools and solutions you want to implement, keeping in mind the effect each has on the bottom line, both in terms of expense and in terms of loss prevention. When adding the new solutions, it’s worth going back to the previously deployed solutions and checking if any of the new ones might make them obsolete and unnecessary by offering the same (or similar) features.

Pitch it

Once you have a plan and a budget in place, it’s time for the hardest part. This is when you present it all neatly and get the executives to approve it. If you followed all of the steps detailed in this article, you’re likely to have an easier time accomplishing the task.

Be sure to use executive-friendly cybersecurity metrics that clarify the necessity of each item on your proposed budget. Another useful tool to help you show the executive level the need for cutting-edge website security is a Website Exposure tool.

The finish line

There are as many cybersecurity solutions out there as there are attack vectors and schemes. Choosing the ones that are relevant to your business and website can be a challenge. However, with a plan that emphasises business goals and evaluates assets and risks before addressing the potential threats, you can ask the right questions and provide the executive suite with the answers they seek on your way to a more secure organization in 2020.

Looking forward

That said, a year is a lot of time and a lot can change. New threats can become critical to mitigate and new regulations may require additional product implementation. This is why it is important that every digital business have a multi-faceted cybersecurity strategy in place, to create a system of checks and balances throughout the year. So as much as you would love to put cybersecurity budgeting activities behind you, be sure to revisit and optimize your strategy and budget.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.