As part of our “Assess Outcomes (Not Features)” theme, we examine the specific outcomes that cybersecurity solutions should be driving for your small to mid-sized enterprise. This should help you to assess your existing cybersecurity solutions, determine the impact of potential solutions, and ultimately highlight the value and necessity of cybersecurity solutions to leadership within your organization.
Cybersecurity outcomes can be intangible. Not only is success dictated by the absence of a negative outcome (getting breached), but the cybersecurity knowledge gap may prevent leadership from understanding the progress you have made (even when aided by KPIs). In this post, we highlight the outcomes that your investment in cybersecurity should be driving, the value they bring to the SME, and how to demand that your cybersecurity provider clearly articulate how they deliver such outcomes.
If you want to learn more about the premise, check out our posts about the cybersecurity knowledge gap, SMB cybersecurity KPIs, and sound questions for leadership to understand cybersecurity.
The Road is Not the Destination
Some managers turn to roadmaps when faced with goals that are difficult to measure; especially when their department/program/solution is at an immature state. Plot the components of your desired state, identify the key milestones, tick them off as they’re completed, and more boxes ticked than last time shows progress… easy, right? Unfortunately, you can progress along the roadmap, and still suffer consequences along the way. This is especially so for cybersecurity, given the interdependent nature of your IT infrastructure, and the ways hackers seek to exploit it; if you’ve secured one area, hackers just move on to another point on the attack-surface, and get at their objective through lateral movement once they’re in. So, if your roadmap includes securing various points on your network (with ‘point products’), each as separate milestones, it can be misleading to say your risk has decreased because one ‘avenue’ is closed, when others remain available.
Let’s look at higher-order outcomes that your security program (people, processes, and technology) or vendor (if you’ve outsourced it) should be driving.
Outcomes You Should Expect
Risk Reduction: This is the reason you must secure your organization. It’s true for all organizations, though the costs and likelihoods can be higher for SMBs specifically. Mitigation of risk is very general, so to make it more tangible, you must look for:
- Reduced Operational Impact
For SMEs the impact doesn’t need to last long to evoke dire consequences. If you make something – how long could you go without making it? If you sell something – how long could you go without your email, telephone system, or website? If you provide a service – how long does it need to be down before you start losing clients?
When assessing this, be direct – ask your providers: how will you help keep my operation running? Don’t settle for the specific type of attack they recognize, or vulnerability they remediate – ask how they will address ransomware, categorically. Ask what will happen with a zero-day exploit. Ask what types of attacks you are still vulnerable to, that could result in an operational impact.
- Decreased Damage to/Loss of Data or Intellectual Property
For some firms, data is how they monetize, and it can be subjected to regular scrutiny in order to ensure quality. For others, their competitive advantage exists in the form of IP that is uniquely theirs… exfiltration of data/IP is no longer the only way hackers stand to benefit from targeting your organization – manipulation of data can be more difficult to detect, and can cause as much or more damage.
Ask potential providers: how will you know if data has been exfiltrated or manipulated? Requesting the details of the process allows you to assess the viability of the outcome they’re describing, and whether it will help you to truly mitigate risk.
Eliminate Compliance Fines
Fines can be debilitating for companies, and with the renewed focus upon consumer privacy in the USA and the EU, they have become so large that they are potentially enterprise-ending. Small to mid-sized enterprises are especially vulnerable to fines, with their limited access to resources for legal advice, expertise on privacy, or even cashflow to pay the fine. Regulatory compliance is a driver for risk-sensitive businesses, and cybersecurity vendors alike.
When considering a cybersecurity solution, be sure to ask which regulatory frameworks it can help address? How many specific requirements? If you are committed to securing your organization, you may as well select a solution that will also help you achieve compliance (business outcome: avoiding fines).
Any of these risks, when realized, can end your business venture – it’s just a question of amounts/duration/what disaster recovery plans you had in place when they occur. By acknowledging the severity of the potential impact, you can understand whether a provider’s inability to deliver an outcome is a deal-breaker.
Peace of mind
We acknowledge the intangibility of this outcome, but it remains an important one to consider for senior stakeholders. Your peace of mind depends on your (or your team’s) involvement with the solution. Assess this is by asking your provider: what will my role be in the implementation/management of this solution? What guarantees can you offer on the outcomes we have discussed? Peace of mind is a personal thing, so ask yourself “could I go on vacation, leaving this solution in place, and not be worried about the outcomes being achieved?”
Similarly, your provider’s ability to answer “Have we been breached? How can we be breached?” will help you make a decision that allows you to rest assured.
Access to Business Stakeholders/Entities
Customers, employees, shareholders and partners are all becoming more sensitive to provider, employer or supply chain cybersecurity risks. To ensure you can attract and retain business, you must clearly articulate what you are doing about cybersecurity. Clients want to understand that you have a comprehensive cybersecurity program in place, that you aren’t collecting data you don’t need, and that you have a plan in place if a breach occurs. Both your partners and B2B customers may have their own compliance requirements, that dictate that their providers/partners adhere to a certain minimum mandatory security standard. By investing in your cybersecurity program, an outcome you should expect is to achieve/maintain access to customers/partners like these.
Ultimately, if you wouldn’t proudly represent it on your website, you should reconsider the solution, because anything less could be insufficient for these important stakeholders.
Whether your cybersecurity program is developed, or immature, you now have a framework to assess the outcomes it is driving for your organization. We recommend you ask questions like these of your providers, and periodically assess them to ensure that outcomes are continued to be achieved. IntelliGO’s MDR service is an outcome-oriented approach to ensure a high-value, client-centric experience for our clients. We demonstrate our impact on a monthly basis through our report, and your risk is lowered immediately upon deploying the service. Just ask us how!