IT Innovation, Part 2: Maximizing the Value of Security Investments

Jonathan Wyatt, Managing Director Global Head of Protiviti Digital

As my colleague Ed Page indicated in his January 11 post, digital transformation represents one of the biggest innovation opportunities of the 21st century, and failure to respond quickly to innovation opportunities is one of the biggest risks faced by any business today.

A recent Protiviti white paper, Catching the Digital Wave of Change, points out that no industry is isolated from the challenges and opportunities of disruptive technology. Wearable technology, driverless cars, the Internet of Things, robotics, blockchain, biometrics, drones and nanotech are but a few examples of disruptive technologies that leaders of the future are harnessing today. In many cases, however, while business leaders recognize the opportunities, their IT counterparts struggle to deliver the digital innovation, hamstrung by day-to-day operational challenges and associated budget pressures.

It’s not for lack of trying. Over the past decade, IT departments have been reducing operations and maintenance costs consistently. Most of these savings, however, have gone to fund other priorities, the biggest being security, which now accounts for 16 percent of the average IT budget, according to our most recent benchmarking study of technology trends. Taking into account other priorities, including compliance and system enhancements, mature businesses are left with only 13 percent of their budgets free for innovation.

With a strained budget, it then becomes critical for IT leaders to prioritize spending according to top-down strategic risks. Cybersecurity is one area ripe for such prioritization.

I see too many businesses look at cyber as a generic risk that must be avoided, without taking the time to clearly define the organization’s risk appetite and the adverse business outcomes that they are concerned about. As a result, many businesses end up focusing on the wrong things, reacting to technical vulnerabilities rather than focusing on the desired business outcomes. This, in turn, causes many security programmes to become a drain on resources, without delivering significant results in terms of risk reduction of the business outcomes that the business is most concerned about. Conversely, when IT leaders look at information security risks more holistically, focusing on strategies to manage adverse business outcomes rather than every technical weakness, they end up investing in very different things and adopting very different strategies.

In other words, IT leaders need to step back and ensure that they are getting the results they want from their cybersecurity investments. This means focusing on protecting what’s important (the “crown jewels”) rather than trying to achieve the impossible and completely locking down the entire perimeter; keeping up with the cyber threat landscape to know what kind of attacks are most likely to occur; and being proactive about incident response so that systems can be put back online with minimum impact to the business. Without this discipline, cybersecurity will continue to consume larger and larger portions of the IT budget. Innovation will suffer and the business may ultimately fail — not because a cyber threat is realized, but because the disproportional and unfocused spending on one operational risk has distracted the business from the more strategic risk of failing to mount a competitive response to new entrants and/or innovators.