The Latest Tech Won’t Save You: Why Cybersecurity Needs More Than Tools

By James Rees, MD, Razorthorn Security

Recently, Computer Weekly released an article entitled “Budgets Rise As IT Decision Makers Ramp Up Cybersecurity Spending” on 18th March 2024. It was an interesting article as it cited a number of stats that showed that IT departments plan to increase their cybersecurity budget and that globally 65% of organisations were going to spend more on cybersecurity. This is an interesting article for me because it outlines a number of issues that many people I speak to have with organisational cybersecurity at present.

What are these issues I hear you ask?

The False Security of Technology-Focused Spending

Well for a start, this article highlights that IT departments are very much missing some rather important aspects of securing an organisation, in that not all security should be focused on the technology. I am not saying it’s not important – it is. IT tooling in general drives every organisation, email, data, software, cloud. A great deal of other important technical solutions are at the core of most of our organisations in today’s modern world. The trouble is, as many of us cybersecurity professionals have pointed out for years, none of the technical security tools and toys are going to protect you entirely, as you are only looking at a small piece of the puzzle. Real information and cyber security needs to begin as broader strategic piece before you should even start hitting the technical aspects of security.

Key Issues Highlighted by Rising Budgets

This is the first key issue. There is far too much emphasis on the technical side and not enough on strategic management and review of security. We seem happy to spend hundreds of thousands on technical security without even considering the cost of the rest. Security professionals also need to have budgets for the management of the GRC side of security. If you do not put a good blend of technical and nontechnical countermeasures in place, managed by individuals with the correct experience, then you may as well take half that money and burn it.

The second issue highlighted by the article is the lack of a comprehensive risk based approach. Security budgets may be ramping up, but it seems to be more of a reactive measure than a proactive one. A more effective approach would be to conduct regular risk assessments to identify potential vulnerabilities and then allocate resources accordingly. This would ensure that security spending is targeted and efficient, rather than simply throwing money at the problem and hoping it goes away.

Thirdly, there seems to be a gap in terms of education and awareness. Cybersecurity is not just an IT issue, it’s organisation-wide. Everyone in the organisation has a role to play in ensuring security of data, from the CEO down to the newest hire. However, many companies still fail to provide adequate training and awareness programmes for their staff. This leaves them vulnerable, as employees are often the weakest link in the security chain.

Remember – you can have all the latest tech tools but if your employees are not educated about their role in information security, or if your management doesn’t have a strategic plan for managing risks, then you’re still exposed. Cybersecurity isn’t solely about technology; it’s about people, processes and policies too.

The Need for a Unified, Proactive Cybersecurity Strategy

The article references the Cybersecurity Certification Scheme, an EU initiative to – in their own words – “harmonise the recognition of the level of cybersecurity of ICT solutions across the Union, allowing vendors and service providers to reach more customers.” That, coupled with DORA and the endless stream of other legislations, frameworks, AI standards and other security related discussions, not only in the EU, but in many Western countries, shows there is a very keen recognition that the cybersecurity issues we are all currently facing NEED to be addressed.

However, there seems to be little agreement on how to proceed and unfortunately, reading some of the material I have seen recently, a great deal of vendor influence being exerted. What I am seeing a distinct lack of is a comprehensive, unified approach to cybersecurity. Many of these initiatives appear to be reactionary or piecemeal, rather than a part of a cohesive strategy. Moreover, there is a lack of clear communication and understanding between different stakeholders, such as governments, businesses and the public.

There is a significant knowledge gap when it comes to cybersecurity. Despite the increase in cyber threats and attacks, many individuals and organisations still lack basic understanding of cybersecurity practices and protocols. This makes it challenging to implement effective security measures.

Furthermore, while the focus on vendor influence is important (as they often have the technical expertise), there needs to be greater emphasis on ensuring that these vendors are acting in the best interests of their clients and not merely pushing their own products or services.

Finally, although there has been a considerable amount of discussion around AI and its potential in enhancing cybersecurity measures, there seems to be little action taken towards integrating this technology into existing systems.

In summary, while recognising the need for increased spending on cybersecurity is an important first step, much more needs to be done to create an effective and unified strategy that addresses these issues comprehensively. For any assistance you might need with your cybersecurity budget allocation, get in touch – we’d be happy to help.