The most valuable data you have might not be your own. Professional services firms need to protect not only their own data, but also that of their clients.
Your clients might have different types of data, or be subject to different data regulations, than your firm. The need to access that data while also protecting it can lead to complex and costly cybersecurity solutions.
The cost of security
Data is a growing part of the proprietary value in companies today, so data security is essential. But it can also be expensive. How much do you need?
“You could potentially spend a huge amount of money on cybersecurity, but it might not be the best decision for your organization,” said Grant Thornton Cyber Risk Advisory Services Managing Director Don Sheehan.
To optimize security, you need more than just spending, you need strategic spending. “You can reduce cybersecurity cost and improve response and operations, at the same time,” Sheehan said. “It takes some management direction and dedication, but you can actually reduce your spending and improve your effectiveness. It really is possible.”
As digital threats continue to grow, it’s important to get the most out of your cybersecurity investment. In a recent Grant Thornton webinar, more than 700 attendees indicated that cybersecurity automation, processes and strategy held the greatest opportunity for improved returns.
To achieve more effective and cost-effective cybersecurity, you need to start with your strategy.
Insights on this issue from other industries
ARTICLE
ARTICLE
ARTICLE
ARTICLE
Strategy
Many organizations plan cybersecurity based on technical factors without adequately considering their business goals. Likewise, many organizations make business decisions without adequately considering cybersecurity implications.
“We want to make sure that cybersecurity and the business are aligned,” Sheehan said. “People have talked about this for years, but we really need to build that bridge right now. We need to make sure that we're aligned in the right direction and supporting the business as it moves forward. Whether it's the primary goal of the business, a supporting goal, or internal functions, there are different IT and security functions that can align there.”
“Securing everything” is expensive, slows response time, and creates constant alerts that make it harder to spot real threats. Instead, make sure you set priorities in line with the business goals. In business terms, your cybersecurity spending should focus on reducing the risks and empowering efficient responses that are most important to maintain secure business operations. This risk management perspective can help you understand how to balance costs. It can also help you set priorities for the data, assets, people, processes and technologies involved.
Data management
“From a data protection position, firms need to be thinking about having a provider that is going to help them, and provide them with advice around any SaaS products that they may be providing to market.”
“From a data protection position, firms need to be thinking about having a provider that is going to help them, and provide them with advice around any SaaS products that they may be providing to market,” said Grant Thornton Professional Services National Leader Frederick Kohm in his 2024 industry outlook.
As organizations acquire new solutions and data, many adapt their cybersecurity processes along the way. This can lead to a disjointed cybersecurity strategy that sets the wrong priorities or even leaves unprotected gaps. Effective and efficient cybersecurity needs to align with your business data priorities. “Do an analysis of what you have, and then you can prioritize data in different categories for each level of data and the metadata that goes with it,” Sheehan said.
In a recent Grant Thornton webinar, most attendees indicated they had not integrated a data assessment into their security operations.
“Everyone’s at different stages, but relatively few have actually done the full data assessment and integration,” Sheehan said. “You need to understand that this can impact your data privacy as well, especially if you're subject to data privacy regulations.”
Organizations need to understand where data resides, what restrictions should apply, and what the priorities are for the business. This is important not only for security, but also for programmatic efficiency. Sheehan recalled one organization that chose not to do a data assessment because it deemed the assessment would be too expensive at the time. “I watched them spend about 10 times that amount over the next few years, protecting everything instead of putting things into categories and protecting the right information. It’s actually a huge way to save money — to know what you have, know where it is, and know where those data points come together.”
Asset management
Effective asset management can enable quicker cybersecurity incident analysis and response while helping to reduce costs.
“Asset management, while not a cyber function, is key to cyber success. Not everything that improves your cybersecurity has to come from your cyber dollars,” Sheehan said. Asset management tools provide insight into your number of users, assets and other accounts. “It makes sense to reduce the unused accounts, assets and devices, which can reduce your software licensing costs and your attack surface.”
The more assets and accounts you have live, the more targets for a cybersecurity attack. Unused accounts can be especially dangerous, since new activity might go unnoticed. It’s also important to know where you have old systems or software. “Fairly often, teams will find a threat and release a fix that works for recent versions, like Windows Server 2019 and newer,” Sheehan said. “But what about Windows 2016 servers? How many of those do you have? Or, how many iPhones have access to your environment that are on Version 16 or lower? What system would you have to figure that out?”
Most organizations ultimately need to track a range of various assets and platforms, including various versions — and Sheehan said this diversity can be a good thing. “One answer for asset management is to try to deploy the same device to everybody. But nature usually doesn’t like a monoculture, and bad things can happen when there’s no diversity. If you have only one operating system, and ransomware or other malware infects that, you may not be able to get into your other SaaS-based tools at all. You may not be able to manage it.”
Sheehan said that a diversity of roles can help improve your cybersecurity, too. “Having different people looking at cybersecurity from different perspectives, seeing different aspects, is fantastic.”
People management
Since everyone plays a role in cybersecurity, it’s important to manage those roles.
“Almost everybody in an organization deals with some relatively sensitive information, to one degree or another,” Sheehan said, including:
- End users: The majority of employees interact with sensitive information on a daily basis.
- Executives: Leaders are at a higher risk for phishing, since they are often considered the most likely targets (“MLT”).
- Developers/clinicians/sales/HR/Finance/Internal audit: These teams are outside of cybersecurity but have a special duty to protect sensitive information.
- IT staff: IT admins have privileged-access accounts that can potentially halt business operations.
- Cybersecurity teams: Apart from operations, these teams also include architecture, policy/governance, identity/access management, privacy, and third-party risk.
It’s important to understand the full scope of an employee’s access, because with access comes the potential for mistakes. In a recent Grant Thornton webinar, attendees indicated that accidental employee actions are actually their top cybersecurity concern.
“If you look through annual reports on cybersecurity, accidental employee actions are really key,” Sheehan said. That’s because a lot of cybersecurity really depends on small decisions — the decisions that employees make every day. “The core aspects of cybersecurity hygiene really might have the most pervasive effect on your overall security,” Sheehan said.
Basic cybersecurity hygiene can have the most pervasive effect across the organization, so it’s important to monitor that effect. “There are a lot of things that the cybersecurity team needs to monitor, but they don’t manage or own,” Sheehan said. “Where are all of these things? What is the data you’re monitoring? How are you going to get that data into a place where a group of people can look at it, understand it and provide a context-based and risk-based analysis of what's going on?”
To better control access to data and information, consider a zero-trust approach that verifies each access request to protect against internal and external threats. Encryption and blockchain technology can enhance data security to help ensure the safety and integrity of data.
There are many elements to an effective cybersecurity strategy. To effectively monitor, manage, maintain and champion cybersecurity that efficiently enables your business goals, you need a central authority that drives, and even automates, the processes behind your cybersecurity strategy.
Processes and automation
A security operations center (SOC) can consolidate the ongoing management of your cybersecurity strategy. The SOC can provide 24x7 monitoring of processes, overseeing cybersecurity priorities for data, assets and solutions. The SOC can further analyze centralized activity in a security information and event management (SIEM) tool, to assess risks and initiate actions. SOC areas of interest include:
- Data priorities: Your SOC should know where the “keys to the kingdom” data resides, along with other data priorities, to coordinate effective and efficient protection.
- Shadow IT: New solutions can appear in the organization. “People often say ‘I want to try out an AI product,’ or ‘I want to use another solution instead of the enterprise standard,’” Sheehan said. “Or, they want to use personal accounts to get into an online tool where they upload data that might include intellectual property. They have a reason, but that doesn't mean that it makes sense and is a good business practice for the organization.” Your SOC can also help spot when these solutions, and their associated risks, arise.
- Solution design: Your SOC can help inform your organization’s solution architecture and engineering, helping to ensure alignment with the organization’s business goals and risk management.
- Event telemetry: As your SOC monitors your SIEM and other tools, it can assess and prioritize the events and alerts, taking action and identifying opportunities to automate actions in the future.
A periodic review of your technology stack can be another important element in cybersecurity. This review can help ensure that tools are being used in ways that align with the cybersecurity strategy and adapt to evolving threats. Continuous updates and assessments can help you take advantage of the full potential of your technologies to safeguard against the dynamic nature of cyber threats.
“There are basic things that that the SOC should do to be helping the organization, not just a cost center,” Sheehan said. “Security operations should not be the star of Dr. No. When other teams ask the cybersecurity team for something, the first answer should not be ‘No.’ That's an old-school approach that doesn't make sense. That's not a business enabler, and it just doesn't work. That's a failure.”
Process alignment
One of the ways that the SOC can help drive business value is by centralizing and coordinating processes.
“You need to have everything in the right place, everything coming together so you can see the big picture, have context for what's going on, and make good analyses of what's going on with what is risky and what is not,” Sheehan said. That might sound like an expensive endeavor, but it usually means coordinating existing activities both inside and outside of typical operations:
- Solution development: “We reduce risk by designing secure systems. You reduce cost by designing secure systems. You reduce both by considering security up front,” Sheehan said. Solution development and IT architecture and engineering typically approach solutions from the perspective of making sure they’re available, providing service and stable. Cybersecurity priorities are typically confidentiality, integrity and availability. These overlap, but they are not entirely the same, and it’s important to integrate security into the early stages of solution design and development.
- Solution procurement: The procurement and finance teams need to be coordinated with IT and cybersecurity, to help ensure that new purchases or contracts are aligned with an efficient cybersecurity strategy and support.
- Identity and access management (IAM): Your organization’s IAM might be managed by IT and audited by cybersecurity, or you might have another structure, but you need to centralize and monitor IAM information so that you can efficiently see if there are compromised accounts. You also need to reduce your attack surface by decommissioning accounts or systems when appropriate. “Please also remember, as you're reducing that number of users, to always have a break-glass function,” Sheehan said. “You need a way to get back in, in case other things happen with your IAM system. And your system should alert you if that account ever gets used.”
- Governance: The policy and governance teams have a risk management strategy that should be informed by, and coordinated with, cybersecurity needs. Data retention standards, for instance, need to be aligned with the right minimum and maximum timelines that allow for effective and efficient cybersecurity. Policies can also be important to help direct and authorize the organization’s action. As your employees, contractors and other collaborators gain access to new technologies and solutions, make sure that you have policies in place to address any activities which put your organization at risk, to authorize the appropriate action.
- Internal audit: Internal audit should play a central role in assessing your IT risks, including your cybersecurity risks. The internal auditors usually start by evaluating the organization’s policies but, even when policies exist, they need to go farther to ensure that they are being followed.
- Training: Training can be at the center of driving cybersecurity hygiene, across the organization’s workforce, in an ongoing way. “That human firewall is important — make sure that people have an idea of what to do,” Sheehan said. “You won't stop every click, but you want to make sure they understand the threats and have an awareness.”
Even with an SOC and effective cybersecurity processes in place, a growing number of organizations are also getting cybersecurity insurance. These insurance providers typically require cybersecurity audits, and a framework of cybersecurity standards, that can help enforce compliance across the organization. The standards can help identify issues that the organization might not have been monitoring, and compliance is usually tied to the cost of the insurance. So, better cybersecurity can be directly tied to cost savings.
“One key piece is that whoever signs up for that insurance — the CFO or COO office — needs to communicate with the CIO, CISO, IT and cybersecurity teams about who has it, what it covers and the other details,” Sheehan said. “Often, executives tell us that they have it, but others on the executive team don't know about it and have no idea where the coverages are.” It’s also important to note that policies might have preferred providers, and might not cover work from other providers at the same level.
It can even be important to call your cybersecurity insurance provider in the midst of an attack. “They can often help negotiate with the attackers, especially if it's ransomware,” Sheehan said. “They can help negotiate that down, because the insurer's paying it, so it's in their best interest.”
Effective process alignment can help you improve security while also saving costs. Plus, when an SOC can look at centralized processes, it can more effectively identify tasks that are standardized, repeatable and time-consuming. These can be excellent candidates for automation.
Automation
The growing complexity of cybersecurity for AI solutions and other evolving technologies havepushed some organizations to consider automation. Many have considered or implemented security orchestration, automation and response (SOAR) tools, but it’s important to recognize that these tools, or any automation, will still require some coordination and work from your teams.
“Be aware that automation is going to take some engineering resources,” Sheehan said. “That's not bad — it's just that you want to make sure you're doing a full cost/benefit analysis as you consider it.”
Well-planned automation can save significant cybersecurity costs over time. To analyze your opportunities for automation and plan the right approach, consider the following factors:
- Complexity: There will be process exceptions, architecture limitations, business requirements and other complexities that limit which processes are candidates for automation, so plan to analyze and understand those before you plan the areas to automate.
- Budget: Automation (especially an initial implementation) will typically require engineers, analysts or both. It’s important to budget for and allocate the right number and ratio of knowledgeable resources to achieve success.
- Customization: SOAR tools have significant potential, but they can require implementation or customization that you should anticipate in your planning. They also might require time to build a baseline of normal activities so that they can provide valuable feedback about anomalies.
The best opportunities for automation are often in the ongoing analysis of alerts or threats as they come in. From there, you can consider whether there are repeatable actions that are also candidates for automation.
The fusion of artificial intelligence with cybersecurity protocols and tools will further enhance automation to improve operations and preemptive defense strategies. Predictive analytics help organizations forecast and defend against potential cyber threats with greater precision. This will not only automate mundane security tasks but also ensure a dynamic defense mechanism that evolves with emerging threats and calls attention to new issues.
“You can really make sure that the alerts which come up for humans to review are really the important things that are anomalous, or take some fuzzy logic or complex correlations to evaluate,” Sheehan said. “That's what humans are good at doing. We can pick out and remember disparate things, and it can be hard to automate that.”
Starting discussion
“Regulatory risks, environmental risks, cybersecurity risks around data, all of those things are important to a professional services firm because they’re important to their clients,” Kohm said.
Professional services firms need an effective cybersecurity solution, along with an efficient strategy and processes. It’s important to understand how streamlined efficiency can both save cost and improve the organization’s security. To explore those opportunities, you need to start with a discussion.
If you're not a cybersecurity expert, ask about some of the core strategic, process and automation concepts to bridge the gap. Understand that cybersecurity is about reducing risk and setting the right priorities.
“Your cybersecurity is not set up to block everything,” Sheehan said. “It’s similar to physical security. We don't know who's stealing Bob's sandwich out of the company refrigerator, because we don't have physical security standing at the refrigerator checking on sandwich access. IT is going to be the same way. Nobody's going to advocate spending $200 to protect a $100 asset. It breaks logic at that point. However, you need to know exactly where you’re spending your money, how you're securing your organization and how you’re enabling the business operations.”
Your cybersecurity strategy, processes, automations and costs don’t necessarily need to be larger. They need to be right-sized, coordinated and focused on the right areas. They need to be part of everyone’s cybersecurity hygiene. “That’s the human firewall. You need your people to be helping you do this,” Sheehan said. “Let's make sure we right-size effective cybersecurity for the organization.”
Contacts:
Frederick J. Kohm
National Managing Principal, Services Industry
Principal, Risk Advisory Services
Grant Thornton Advisors LLC
Frederick J. Kohm, Jr. has over 26 years of experience providing accounting and advisory services to his clients.
Philadelphia, Pennsylvania
Industries
- Insurance
- Energy
- Services
Service Experience
- Advisory
Don Sheehan
Managing Director, Cyber Risk Advisory Services
Arlington, Virginia
Learn about cybersecurity ROI in other industries
Our fresh thinking
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share