1300 292 946
The cost/risk balance to consider when setting up a cyber operations function

The cost/risk balance to consider when setting up a cyber operations function

Adam McCarthy Headshot

Adam McCarthy
Co-Founder and CEO at ParaFlare.
13 November, 2020
6 min read.

Before determining what to invest in cyber operations, organisations need to understand what they're protecting and why they're protecting it. They also need to be aware of where their threats are likely to come from so that they know what to defend against and prepare accordingly. 

Organisations need to ascertain whether their threats are likely to be financially motivated groups, advanced persistent threat groups, or hacktivists. That threat profile is a key consideration in any cyber operations investment strategy.

In addition to being on top of what assets need defending, organisations need to look at their intrinsic partnerships and service providers.

Critically, organisations also need to know the value of their human assets and how their people form a vital part of their cyber defence.

With a really good grasp of all of those elements, businesses can formulate outcomes, and begin to drill down into the second and third tier functions when setting up a cyber operations capability.

Say you're an organisation with 10,000 human firewalls containing a mix of Windows, Linux, and Macintosh devices, as well as BYOD, teleworking, and multiple pieces of cloud infrastructure, including Amazon and Azure.

Identifying those assets, protecting them through a series of controls around antivirus and firewalls, and implementing a protection stack all costs money. That cost can be considerable for a 10,000 seat organisation, to the point where if you intend to cover off the protection side in-house, a specialist security engineering team would need to be established and retained.

In this circumstance, it is strongly advisable to follow a framework. There are multiple frameworks available to choose from, such as the Australian Signals Directorate’s mitigation strategies or the NIST (National Institute of Standards & Technology) cybersecurity framework. Which one you choose depends on how your organisation thinks about cyber strategy and which one most closely aligns with that view.

Whether you're a large or a small enterprise, there's a certain number of individuals that you're going to need to have in the team if you want to run a 24/7 operation.

Once you've got your protection stack sorted, you will need analysts to collect and correlate data from those systems, take feeds from your firewalls, antivirus, email gateway, proxies, and web servers, and analyse all of that data to detect threats.

Most smaller organisations use protection tool alerting as their detection mechanism. But it’s not correlated and it's also really hard to quickly identify the consistencies across different products and tools. A dedicated team however, would bring all of that information together to detect threats, as well as proactively search for them.

This is where we start stepping into cyber operations and active defence versus a more passive ‘waiting for the tools to alert’ type of defence.

To engage in active defence, you need individuals that understand the types of threats that are presented in a very technical language, and apply a level of analysis to then inform the next decision. All of this requires human intervention to really understand the context, the technology sets, and the business.

The number of individuals that you require with those particular skills depends largely on the size and complexity of your environment. For a small organisation with around 100 staff members, you're looking at hiring two or three people to do that in a consistent manner, whereas for 24/7 defence monitoring, additional staff would be required.

For larger organisations with several thousand staff, you’d need a team of eight or nine people to correlate, contextualise, and provide the information required to inform the response.

This is where organisations need to weigh up the commercial aspects of a cyber operations capability. You can spend an unlimited amount of money in cyber and still not be 100% secure or 100% resilient. You can keep throwing money at a problem, but it really comes down to what is ‘enough’, to treat a risk significantly.

The protection mechanisms of an organisation reduce the likelihood of a breach, but not the severity of one, whereas cyber operations and active defence do reduce the severity of a breach by detecting it quickly and effectively, bringing that risk down to something that is acceptable to the business.

Usually, businesses apply weighting to a particular risk, with a dollar figure attached to that, commensurate to the size and the risk appetite of the business.

For a business that has 10,000 staff and operates in financial services, their threats are likely to be from financially motivated crime groups. Their risk profile in terms of losing PII (Personally Identifiable Information) is reputational, regulatory, and potentially financial.

They may treat that risk through insurance or they may treat it with a budget to provide more resilience and more protection.

Compare that to another organisation that has a similar amount staff but operates in a different industry, such as forestry and agriculture. Because most of their staff members are outdoors and they don't have very many IT systems, their risk profile is likely to be lower when it comes to regulatory risk (but the financial consequence of an attack could still be considerable).

In short, what drives the decision to engage in cyber operations really comes down to how the organisation sees cyber risk in their context, and how much money they're willing to invest to mitigate that risk.

One of the main challenges that we have is that most organisations don't truly understand the risk to their organisation until something bad happens.

At a lunch I attended just a few weeks ago, one of the CEOs at my table said he had recently experienced a breach. He said that post-breach, he felt that his cyber risk was comparable to being in the middle of the Serengeti with lions all around him. The key takeaway was that he'd only just appreciated that in the period following the breach.

That type of reaction in entirely typical. Once you have experienced a breach and you subsequently understand your risk profile, you will treat cyber risk differently to those that haven't had a breach and are blissfully unaware that they even have potential issues.

Once a business realises how big the problem is, they can treat it more effectively from experience. That’s why it’s so important to be proactive in determining your risk profile.

The people you have within your organisation, and their level of awareness and training, plays an intrinsic part of dealing with cyber threats, whatever an organisation’s risk profile happens to be. Investment in people should not be sacrificed for more technology, as both are required to tackle cyber threats.

When it comes to a breach, more often than not, it’s an individual within an organisation who picks it up. They’ll see something that’s out of place and flag it. So when allocating your cyber budget, not only do you need to be targeted and surgical with it, you can't forget the human element: invest in training and build your own human firewall. Give your staff the tools and the reporting mechanisms they need as part of your overall investment.

A mistake organisations commonly make is that they focus too much on technology and not enough on the people to make the best use of that technology. It’s akin to a Formula One car needing a highly skilled driver to function at an optimal level.

Investing in people who can analyse and interpret the data is every bit as important as the technology investment.


Have a comment? Join the conversation on LinkedIn

You should also read