Stop doing so much cyber security
We’ve all heard about the increasing importance of cyber security but do you really need it?
A big mistake I’ve seen many projects make is spending too much on cyber security. This means less money for the capability they’re developing. The weapon system doesn’t get the range its users wanted. The ship misses having the weapon system altogether. There are fewer ships in total.
On the other hand, cyber attacks are real. States such as Russia, China and Iran are becoming both more sophisticated and more aggressive. Increasingly, they are not even bothering to hide hostile intent, such as with the 2015 attack on the US Office of Personnel Management or the UK’s Defence Academy in 2021. Microsoft’s Digital Defence Report for 2023 has reported a doubling of attacks on critical national infrastructure since the beginning of the Ukraine war.
So how should large government projects decide how much or even whether to invest in cyber security?
The answer is to use risk-based assessments properly. That is, cyber risks should be related to business outcomes using open standards such as ISO 31000 or NIST 800-30. This is often a big change from historic practice where cyber risks are treated as a purely technical exercise.
Bee.net’s Cyber Design Accelerator provides a step-by-step, practical guide for helping you transition to Secure By Design and modern cyber security practices. The clients we’ve worked with have often been able to spend less on cyber security whilst improving not only the confidentiality and resilience of their systems but also making the system easier to use and more effective.
Could your project benefit from a similar approach?