12 real-world drivers for Information Security (IS)

Over the past year, my team has processed hundreds of requests for information security solutions from a minimum of a hundred of clients from various industries — oil & gas, public, finance, chemical, NGOs, etc.

Instead of the generic drivers cybersecurity IS (Risk, Compliance, etc.), there were identified a number of specific cases, motivating the leaders of information security to request, and the management and shareholders to approve cybersecurity budgets:

  • The presence in value chain of proprietary technology, that is valueable to competitors.
  • Leaks of the design or engineering documentation.
  • Leaks of client-related information.
  • Virus outbreaks exempting down SCADA.
  • Attacks on income generating website (B2B portals, customer service and so on).
  • Sabotage from IT administrator, which causes the interruption of business processes.
  • Requirements of financial audit.
  • The desire to maintain the costs of the cybersecurity processes despite the rapid growth of the business.
  • Freeze of employees headcount with the growing tasks for the cybersecurity division.
  • Centralization of IT applications/infrastructure or services.
  • Expansion into new national markets.
  • Compliance with the basic regulatory requirements (PCI\PA-DSS, SOX, FZ-152, etc.).

Drivers are rather mixed, from significant incidents with the risk of market share loss, revenue loss or reputational damage to “get money on information security under the guise of centralization in IT”, but each of them can be a viable reason\business case to start a significant information security project.