How to Develop a Strategic Approach to Cybersecurity for 2023

Organizations are putting a lot of time, money and effort into combating cybersecurity threats. In a recent Gartner survey, 66 percent of CIOs said that cybersecurity is their top area for increased investment in 2023, even though many are facing a budget squeeze.

The research firm predicts that global cybersecurity spending will total $188.3 billion in 2023, and grow at a rate of 11 percent annually to reach $262 billion by 2026. Remote and hybrid work models, the adoption of zero-trust network access (ZTNA), and the continued shift to cloud-based solutions are driving market growth.

Given all the money invested in security tools and services, you’d think that organizations would be getting a handle on cyber threats. However, very few days go by without a major cyberattack or data breach, reminding us that there’s still much work to be done. Part of the problem is that few organizations have developed a strategic, risk-oriented approach even though most recognize that cybersecurity is a business issue as well as an IT issue.

Vulnerabilities and Risks

According to a recent survey by the Ponemon Institute, 58 percent of organizations are vulnerable to a data breach because they lack a well-defined security strategy, and another 58 percent lack an effective structure for risk-based decision-making. Only 37 percent are tracking the right metrics to be able to gauge security risks.

Spending money without a plan is simply not effective. Many organizations are finding that they have too many security tools and technologies, making it difficult to detect, investigate and respond to threats efficiently. In 46 percent of organizations, one staff member is responsible for four to 10 tools. Yet 58 percent of respondents say that poor visibility and blind spots make it difficult to protect business-critical assets.

Security Strategy Principles

Developing and implementing the right cybersecurity strategy can be difficult, given the scope of threats and the near-infinite ways to address them. These principles provide an effective starting point:

Make cybersecurity part of the organizational culture.

Some of the biggest threats are human error and lax adherence to security policies. Any cybersecurity strategy should incorporate ongoing cybersecurity education that focuses on best practices and how to identify security threats.

Identify your organization’s top cybersecurity risks and build your strategy around them.

There are a number of frameworks that can help guide the development of a risk-management strategy, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Organizations should also conduct regular risk assessments and consider the potential value of data and IT assets to outsiders.

Use industry-standard terms in security policies and communications.

A consistent approach helps ensure that all stakeholders, including executive management, understand cybersecurity issues and risks.

Ensure that cybersecurity basics are in place.

Most cyberattacks exploit well-known vulnerabilities. Organizations can improve their security posture by ensuring that systems are patched, privileged user accounts are properly managed, and sensitive data is encrypted.

Untitled design - 2022-12-28T121548.566.png

Address the cybersecurity skills gap

IT leaders should look beyond traditional job descriptions when hiring for security roles. Automation and strategic partnerships can also help offset the shortage of cybersecurity professionals.

How DeSeMa Can Help

DeSeMa’s consultants have deep expertise in cybersecurity, and can help you identify the threats that pose the greatest risk to your organization. Our team can then help you take maximum advantage of the tools and controls you already have in place, and select the right technologies to fill any gaps. We will also ensure that they are properly implemented and configured.

Investments in security tools and personnel can only go so far in combatting cyber threats. Organizations need a comprehensive cybersecurity strategy that integrates with key business processes and aligns with corporate objectives.