Bell study: Budget not the biggest factor in a positive cybersecurity posture

According to a recent study released by Bell, size of security budget may not be the best indicator of cybersecurity protection and success in Canadian organizations.

Bell commissioned a study conducted by Maru Group of 402 Canadian organizations across public and private sectors. Among the takeaways from the study, size of budget does not necessarily correlate with degree of cyber-safety. Other factors may have a more profound influence, notably effective allocation of resources and a clearly defined strategy.

“Organizations with well-defined security governance outperform their peers,” noted Bell in a company press release. “To be most successful, security governance is a process that ideally takes a collaborative approach across the business. In part because executing well on technical guardrails (e.g., configuration management, policy as code, access management, etc.) relies on agreed-upon risks, boundary lines and responsibilities from across the organization.”

The study also noted that appetite for risk and a willingness to embrace change may, counterintuitively, have a positive impact on security outcomes.

“The only governance factor found to coincide with a significantly reduced likelihood of reporting a breach was a mentality among business leaders to embrace change and be open to taking risk. Being open to change (and calculated risk) can mean the early adoption of new technologies, improved employee morale, and other factors that reduce the risks of a breach,” stated Bell.

In terms of measuring success, breaches (or lack therein) may be the most direct performance indicator — CISOs responding to the survey also highlighted performance against compliance requirements and the ability to retain talented staff as important indirect indicators.

“A highly skilled team with a well-connected cross-enterprise collaborative approach is critical to the success of an enterprise security strategy,” said Costa Pantazopoulos, VP product at Bell. “This is particularly important for cloud security controls, such as configuration management, which can be more challenging to fully automate.”