7 questions all CxOs should ask to increase cyber resilience before buying more software

Procuring cybersecurity or enterprise resilience software is a multifaceted consideration, typically owned or heavily influenced by technical stakeholders like the CSO, CIO or CTO. But paradoxically, some of the best insights as to whether a particular software or technology is the right choice for your organisation can be gleaned by considering non-technical factors. Doing so will challenge you to reflect on your existing tools, the pace of external change, and your organisation's overall security posture, encompassing people and process too.

Here are 7 questions you should ask, particularly during the procurement process (but they apply at any time really), to help your organisation to make the best possible purchase and increase its cyber resilience at the same time. 

1 - Is Our Insurance Leaving Us Exposed?

Historically cyber risk was a consideration most CxOs could acknowledge, insure against and move on from. However as the prevalence, professionalism, scale and potential impact of cyber incidents increases, the insurance market is becoming ever more vocal about the limitations it must impose. In December 2022, the CEO of Zurich stated that “cyber will become uninsurable”, whilst Lloyds of London has introduced an exemption for state-backed attacks, claiming that “the losses have the potential to greatly exceed what the market can withstand”.

These shifts are predominantly driven by the increasing connectivity between the cyber and physical worlds, the continued rise of ransomware, and the growing professionalism of the cybercrime industry. 

Whilst there is pressure for governments to provide state-backed support for terror-related events (akin to natural disasters), finding clarity on what constitutes ‘state-backed’ is likely to remain a grey area that will incur significant legal fees to determine. 

The net result: you’ll find it increasingly difficult to insure against cyber attacks and, even when you do, it may become more challenging to realise the policy as you had anticipated. Consequently, you may find a widening gap between the risks you’ve insured for and the risks your security investments can mitigate against, so we’d recommend reviewing both at a frequency that reflects the external landscape. It’s highly likely you’ll need to increase your investment in technical solutions that span the full security spectrum including prevention, detection, response and recovery. 

2 - How Will This Solution Evolve to Keep Pace With the Threat Landscape? 

Long gone are the days of cybercrime being carried out only by a sole actor operating from a bedroom. Today, you should think of cybercrime in the context of a professional market with ready access to capital, R&D budgets and the ability to leverage new technology faster than you can.

For example, LinkedIn has already seen a rapid increase in ‘ChatGPT-style’ solutions using AI to create false profiles to scam job hunters and 2022, the US Federal Trade Commission estimated there were 92,000 related scams at a total cost of $367m, 75% up on the value in the prior year. Couple this with the growing IoT attack surface, which according to Statista, will double from 15 billion connected IoT devices today to 30 billion by 2030, and the associated risk for individuals and organisations is only moving in one direction. 

For reasons like these, you’re facing an unpredictable and increasingly potent threat landscape. Rather than being able to predict the specifics of how this will evolve, you need to ensure that the solutions you put in place today are inherently agile and capable of evolving to respond to new threats as they occur. That will more than likely incorporate your supplier partners, so understanding the resource and intent they have behind this effort is worth knowing.  

Don’t be shy here. Challenge your suppliers on their extensibility to meet new threats: what they think these may be, how they’ll respond, how quickly patches or product evolutions will make their way to you, and whether this incurs any additional fees.

3 - Do We Understand the Potential Impact of a Supply Chain Vulnerability?

In the wake of a global pandemic, a container ship getting wedged between the banks of the Panama Canal, and continued geopolitical unrest, I’m conscious that I may not win any insights points here but: your organisation’s cyber-related risks extend beyond your own controls through to your supply chain. Understanding your exposure to a failure here is an exercise worth undertaking and yet despite this, only just over half of large UK-based businesses review their immediate cyber-related supply chain risks according to the Department of Science Innovation and Technology.  

To give that some fiscal context, in 2023, MKS Instruments, a supplier of componentry and systems to the semiconductor industry, suffered a ransomware attack that impacted production related systems including order processing and shipping. The financial impact at the time of writing was estimated at somewhere between $200m and $500m; at least 20% of its quarterly revenues. The knock-on impact to one of its (unconfirmed) customers was of a similar magnitude; c.$250m. 

This disruption may also be digital or physical, so we’d advise considering both. You likely already have supply chain standards in place, but ask about the data that underpins your organisation’s confidence that the supply chain is meeting these. Many companies remain reliant on fixed interval auditing to achieve compliance, but we’d tend to favour a continuous, risk-based approach informed by data. 

4 - Are We Mitigating the Talent Shortage Effectively?

Arguably one of the most daunting challenges for many organisations is that of talent and skills.  

Gartner claims that there are 3.4 million cybersecurity vacancies currently in the market and that by 2025, nearly half of cybersecurity leaders will change jobs, despite sector pay increases of c.16% between 2019 and 2020. This churn will cost their organisations an incremental 30% on their people costs. Coupled with the fact that by 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents, and you begin to understand the significance of talent acquisition and retention. 

Burnout (chronic stress) and overwhelm (the inability to keep up with demands) are two key risks to retention and the efficacy of your cyber defence; and whilst technologies like automation, risk-based alerting and AI/ML can help here, it is worth incorporating healthy budgets for well-being, learning and development, and recruiting with attrition in mind.  

Even so, this talent gap won’t close quickly, so consider challenging your HR to define career paths or upskilling that can bring more talent into the area. Again, vendors across your supply chain can potentially bolster your capability here. Long term, it’s also to their advantage to have users familiar with their products too, so it could be a win-win. 

5 - Have We Created Clarity On our Priority Assets Before Committing Budgets?

In 2015, McKinsey surveyed 45 companies in the Global 500 about their cybersecurity spending and capabilities and found that there was little correlation between spend and level of protection. The obvious reason for this is that not all assets are created equal: they underpin operations in different ways, and have different risk and exposure profiles. It follows therefore that they should not be protected in the same way. 

This leads you to a risk-based approach to cybersecurity and here we can learn some lessons from the public sector. 

More than 100 governments have developed national cybersecurity defence strategies and McKinsey also benchmarked 11 of these to draw out the leading principles. These apply to enterprise organisations too. The key takeouts from a CxO perspective are:

1. Prioritise critical assets. Simplistically, this may require you to triage your organisation’s assets and consider an appropriate risk appetite for each tier. Best practice also encourages the implementation of common cybersecurity standards that are applied to your priority assets and governed effectively.
2. Ensure a standardised risk management approach to provide all incident responders and stakeholders with a common language for cyber incidents of different severity levels. This should remove bias from your investment decisions through standardising the inputs.
3. Ensure a clearly defined response and recovery plan with formalised and well-understood reporting principles, processes and resourcing. Be particularly clear as to which of these steps sits outside of the organisation via partners and other third parties. Have this documented in some form of service agreement.

The above points hold true for all assets but focus should be given to those most critical to the organisation’s performance.

6 - Can We Use This Moment to Simplify and Create Value Beyond This Purchase?

The instinctive response to cyberthreat is to invest in more technology. It is logical that as the attack surface and sophistication of threat actors grows, so does the need for technological defence capabilities and the classic way to drive better performance is to ingest more data in more ways, more frequently. 

However, over time, this tends to create a complex mesh of tools with overlapping capability that is difficult to navigate, adopt, implement and realise value. In short, you can fall into the trap of adding a lot more for a relatively small gain. As a result, many enterprise organisations are looking to consolidate and simplify their environments to save cost and increase value realisation. Creating access to and visibility of more data is (almost) always of benefit, but there are cost-effective ways to do this without duplicating effort or investment. 

If pursuing this technology or solution feels like the right choice, investigate whether it offers functionality that could displace incumbent tools to create a more user-friendly environment and potentially save cost.  It’s unlikely you’ll want to do this in one hit, but if the option is there, it’s worth considering how you can pilot and test that potential in a low risk way. 

7 - Are We Prioritising Capability Development or the Point Solution?

Cyber resilience is a journey, not a destination. The threat and technology landscape will continue to evolve very quickly and this makes developing the organisational ability to continue to adapt more important than reaching the ‘solution’ today.  

That may not necessarily be the answer for your organisation, but it will likely impact the type of cyber-capability ecosystem you are seeking to build, including for example the type and frequency of engagement with partners within this and how you decide to allocate capital across software, training and professional services in the short term. 

Either way, if your stakeholders are selling you ‘the answer’ in technology alone, they likely haven’t truly understood what you’re facing nor what you’ll need to maintain cyber resilience year after year.

What Does Good Look Like?

So now your peers consider you a strategically-minded cyber guru (you’re welcome), but you only got to question 3 of 7 and the meeting needs to move on. What are the fundamentals you should point out?

Caveat alert! This isn’t a one-size-fits-all solution but broadly speaking, we’d advocate the approval of solutions that:

1. Can amplify your organisation’s ability to evolve to meet the needs of your future organisation in the context of a growing, dynamic and increasingly professionalised cyber threat landscape that can be mitigated less and less by insurance.
2. Helps you to consolidate, simplify and streamline your IT environment to save cost, extract greater value and navigate the talent landscape (e.g. via automation, AI/ML, product or tool consolidation).
3. Can align functionality to value realisation. Be clear what value is being derived, how it will be measured and which assets it aligns to. This doesn’t have to manifest itself as GBP, USD or EUR, but it should align to board-relevant KPIs and be founded on a common lexicon across the organisation.

To Sign Off…

Congratulations for making it this far! Nobody is pretending this is easy, but I hope that simply by reading through this you have a better feel for the cyber landscape and a greater level of confidence when considering the merit of future investment decisions. 

Cyber resilience is not achieved through software alone, and as a non-technical stakeholder you can add enormous value to the procurement process by driving clarity on the ultimate objective, intended (and potential) value paths, and by ensuring the software is considered in the full context of people and process too.