November 19, 2021

Last Updated on June 24, 2024

The Deloitte Insights report, “Reshaping the cybersecurity landscape,” indicates that financial firms have been steadily increasing security spend, board security involvement and security/business alignment over the past three years. With increased pressure on boards and executive management teams to address security risks, the number one cybersecurity “area of interest” from 2018 to 2020 has been “overall security strategy”—now top of mind for 95% of execs polled, a jump from 76% in 2019.

Is this a sign that organizations are getting smarter and more strategic about security? Are more people asking the right questions? Or are these trends mainly reactions to increasingly challenging regulatory and threat landscapes?

Chris Dorr, practice lead for Pivot Point Security’s Virtual CISO (vCISO) and virtual security team programs, considered this issue along with host John Verry, Pivot Point Security CISO and Managing Partner, on a recent episode of The Virtual CISO Podcast.

Are firms getting more strategic about security?

John and Chris have both noted a rise in strategic versus tactical conversations with clients generally in recent months.

“The last six months have been eye-opening to me,” John shares. “I’m amazed at how many of my conversations have become strategic, where I think prior to that they were more in the tactical realm. I think you’ve been experiencing the same thing, so I would ask you, is it us? Have we gotten smarter? Have we gotten more strategic? Or is it our clients? Are they getting more strategic? Are they asking the right questions? Are their boards feeding them? Or is this just a natural reaction to an increasingly complex set of information security requirements and regulations that people are dealing with? Or is it some combination of all those things?”

“I think it’s a combination of all of those things, and it’s definitely not just us,” Chris responds. “[There has been] this dramatic jump in senior managers really caring about information security strategy, to the point where basically they’re all asking that question.”

Drivers for a strategic security focus

Chris sees three main drivers for an intensified senior management focus on security strategy.

“The first reason is an increasing recognition that these tactical things that you have to do are much easier and much less expensive to do if you have a good strategy,” Chris relates.

“Another thing companies are seeing more and more clearly now is the increase in existential threats from information security—that no longer is the biggest threat to my company a data breach that’s going to cost me a million dollars. I can spend a million dollars. I don’t want to spend a million dollars, but I can. What I can’t do is have every single piece of information in my company turned into garbage by a ransomware attack that I can’t afford to pay.

“If the threats are increasingly existential, then the solution to those threats has to be increasingly strategic. And I think the third driver is an increased recognition that information security not only is a cost center but that it also is a business enhancer. We can help marketing, we can help sales, we can absolutely help product development, but we can’t do that unless it’s approached from a strategic standpoint.

“I think all of those things are combining to make senior managers at companies say, ‘You know what, we’ve got to change the way we look at information security,’” concludes Chris.

What’s Next?

Is cybersecurity strategy a hot topic in your boardroom and C-suite? Stay ahead of the curve by listening to this podcast episode with security strategist Chris Dorr: https://pivotpointsecurity.com/podcasts/ep65-chris-dorr-why-information-security-is-key-to-business-strategy/

Want to find out more about cybersecurity strategy? Here’s a related post you’ll enjoy: https://pivotpointsecurity.com/blog/3-things-every-smb-needs-to-become-provably-secure-and-compliant/