Cyberattacks have graduated from “possible” to “probable”, according to a major South African insurer. Businesses must act to reduce cyber risks, which many are doing by spending on new security services.
However, this approach often becomes reactive, creating more problems and consuming larger chunks of IT budgets without truly making an organisation safer. But there are better ways to create lasting security resilience.
Cybersecurity’s arm’s race
Cybersecurity spending is taking larger portions of IT budgets, conservatively growing from 8,6% in 2020 to 13,4% in 2024. On average, the numbers are higher, and in some sectors, security can take up a quarter of IT budgets, and a majority of executives expect security budgets to grow by at least 6% in 2025, with some expecting 15% or more.
Yet cybercrime attacks are increasing in terms of successful breaches and how frequently companies are targeted.
“After more than a decade of aggressive innovation and growth in cybersecurity, budgets should be stabilising,” says Gerhard Swart, chief technology officer at Performanta. “That’s not happening. A big reason is because criminals keep evolving their tactics, requiring companies to spend on improvements.
“But this isn’t the only factor. Another issue is that companies are engaging in a competitive arms race with criminals. For every new tactic the criminals develop, the company adds a new security service.
“This approach is unsustainable, which is why frameworks like continuous threat exposure management (CTEM) are becoming more popular.”
Stabilising security budgets
CTEM is a new approach where organisations proactively assess, scale, and pool their security by focusing on their business risks.
First one starts with the biggest risks, such as your financial data. Where is it stored? What is the likely damage if that data was stolen or ransomed? Then one needs to zoom in on access to the data. How is the data accessed and used? Who has access? Thereafter, one should start looking at specific threats. Is the data server secure? Is it integrated with other services, and are they secure? Are the people with access trained to spot cyberattacks on them, like phishing? Are the accounts with access safe? Do they use multi-factor authentication?
These questions can be routine for any security analysis. However, by anchoring them to major business risks, they enable organisations to overlap security resources much more effectively. This focus also creates feedback loops to improve knowledge of new threats, prudently scale security coverage, and invest in continual improvements and resilience.
Anticipation creates better security
Swart compares continuous threat management to racing. “Imagine a racing driver who is very reactive. When they run into obstacles, they slam the brakes, punch the accelerator, and grind the gears. That’s not efficient, and they likely won’t win the race. Now, picture the driver who thinks ahead, who can anticipate what lies beyond the next curve, and has the experience to make the right decisions fast. They get through obstacles with more fuel in the tank and less wear on the car.”
Most companies and their security partners drive their security badly. They are reactive, throwing whatever they can in the moment at a risk. The problem is that this only works up to a point. Each victory brings them closer to ruin: higher costs, flagging security, and the potential for a successful and devastating cyberattack.
Simply buying cybersecurity products won’t make your business safer. In the battle against cybercrime, it leads to the worst uses of people, resources, and budgets. While business risks have influenced cybersecurity strategies, frameworks such as CTEM and the security providers that adopt them are putting those risks at the centre, providing an effective way out of crippling victories and towards long-term cyber resilience.
Five steps to CTEM
Gartner’s CTEM framework involves five steps:
- Scoping: Identify your organisation’s vulnerabilities, including devices, apps, and less tangible elements like social media and supply chains. External threats and SaaS security are good starting points.
- Discovery: Create a process to identify assets, associated vulnerabilities, misconfigurations, and other risks. Prioritise accurate scoping based on business risk and potential impact.
- Prioritisation: Prioritise security issues based on urgency, security impact, available controls, and risk tolerance. Focus on high-value assets and create a treatment plan addressing the most critical threats.
- Validation: Verify if a vulnerability is exploitable, analyse all potential attack paths to the asset, and determine if the current response plan is fast and substantial enough to protect the business.
- Mobilisation: Mobilise people and resources by communicating the plan to stakeholders. Streamline processes and document workflows, reducing obstacles to approvals, implementation processes, or mitigation deployments.