My Profile

Cybersecurity: Are You Spending Too Much?


In this guest post, Procurement Leaders invites 4C Associates’ Ed Ainsworth to discuss misconceptions around cybersecurity and where procurement executives really need to be directing their attention.

Cybersecurity is a big and genuine threat to every company. Attacks range from the sophisticated international state-backed type such as the attack on Sony, to the ‘bedroom hackers’ as we saw last month with Talk Talk.


Many small businesses will have also experienced a ‘social engineering’ attack, where a criminal is able to generate internal emails requesting payments to them. Sometimes these attacks can be of very high quality and include a surprising amount of information such as a holiday schedule and location.


As a result, the Cybersecurity industry is one of the fastest growing global industries - one estimate put the global market size at $170bn by 2020[1]. Many boards are feeling that they have not adequately addressed this issue and are putting pressure on their management for solutions.


For example, Talk Talk, after suffering from a large cyber-attack, engaged BAE Systems to provide a full solution. Latest figures show that the Talk Talk cyber-attack could cost the company up to £35m in one-off costs, aside from the significant hit it took to its share price, reputation and the work it now has to do to rebuild its customer relations and trust in the brand. Other telecoms providers are spending hundreds of millions of pounds on solutions as suppliers capitalise on a growing fear of an attack as a reason to buy.


Cybersecurity has all of the characteristics of a category of overspend. The solutions aren’t clear and well understood. Most IT directors don’t have detailed understanding of encryption and access technology and the knowledge level outside IT is low. There are no industry standards and quality varies. It’s an exciting purchase and there are legitimate reasons for questioning the need for normal procurement scrutiny.


Procurement and finance managers will be wary of intervening and of supporting decision making, in the event that they could be blamed for a serious attack.


However, good procurement can add a lot of value to cybersecurity services by working through some key questions:

  1. What is the current level of cyber risk that the business faces? What attacks have actually been carried out and what could happen. Typically this work will find a lot of low level risks (a company credit card number being taken from a laptop Wi-Fi, someone clicking on an attachment along with some major ones).
  2. What is the range of services that can help mitigate the risks? Use the supply base to help you solve the problems, there are some very innovative low cost solutions. Most suppliers can quickly give an assessment of what they can do for you. I’d recommend using an unstructured ‘tell me what you can do for me’ process rather than a formal request for information (RFI) process.
  3. What are the alternatives to reducing risk that don’t require expensive solutions? I’ve seen companies changing processes to make them more secure, for example one of our clients stopping email payment authorisation. Other companies are outsourcing the storage of customer data to a specialist with full protection rather than keeping the data on any corporate system (think of this a bit like keeping your jewellery at a bank).

Every company now needs a cyber security strategy, however with support from procurement, then many companies can avoid overspending un-necessarily.


Ed Ainsworth is co-founder of procurement services company, 4C Associates.


This contributed article has been written by a guest writer at the invitation of Procurement Leaders. Procurement Leaders received no payment directly connected with the publishing of this content.


Guest Blog
Posted by Guest Blog

Want to learn more? Please fill in your details to hear from us.