IT Security – Preparing for Decisions Properly

Part 1 of 2

IT security decisions are now among the most difficult – and at the same time most far-reaching – tasks facing company directors and IT managers. Unlike traditional IT investments, these decisions are not merely about efficiency or cost optimisation, but about a company’s fundamental ability to remain operational. Production downtime, data loss or regulatory breaches are no longer merely theoretical risks, but real business risks.

A recurring pattern is evident, particularly in German SMEs and larger companies with around 250 employees or more: decisions are often made under pressure – triggered by incidents, audits or new regulatory requirements. What is then lacking is structured preparation. And this is precisely where most wrong decisions are made.

This article shows how to prepare IT security decisions in such a way that they are sustainable in the long term – technically, organisationally and economically.

Many companies still treat IT security as a purely technical discipline. This is understandable, but no longer appropriate. With the implementation of NIS-2 in Germany, at the very latest, the perspective has shifted: IT security has become a management responsibility.

There are two key reasons for this:

1. The impact of security incidents now affects the entire organisation. A successful attack leads not only to IT problems, but also to production downtime, lost revenue and a loss of trust among customers and partners.
2. Regulatory requirements are increasing. Companies must not only implement appropriate security measures but also be able to demonstrate that they have done so. Decisions in the field of IT security are therefore automatically legal and business decisions as well.

The consequence of this is clear: whoever makes decisions on IT security must also understand it – at least at a strategic level.

A classic way to kick off IT security projects is to say:

“We need a new firewall.”
Or: “We need to set up a SOC.”

The problem with this is that these statements are already solutions – but the problem that actually needs solving hasn’t even been clearly defined yet. A well-informed decision therefore always begins with a step that is often skipped: identifying the requirements.

The most important question at the outset is not “What technology do we need?”, but rather: What is critical for our business?

This may sound trivial, but in practice it is challenging. This is because in companies with 250 or more employees, there are numerous interdependencies:

• Business processes (e.g. production, sales, logistics)
• Systems (ERP, CRM, email, cloud services)
• Data (customer data, financial data, intellectual property)
• External partners and supply chains

A sensible approach is to think about IT security in terms of business processes. Ask yourself:

• Which processes absolutely must function for the company to keep running?
• Which systems are necessary for this?
• What happens if these systems fail or are compromised?

The result is not a perfect security concept, but a prioritised target vision. And that is precisely what matters: IT security does not mean protecting everything at once, but protecting the right things first.

Once priorities have been established, the next step is to analyse the current situation. This often reveals a sobering picture: many companies already have numerous security solutions in place – yet these are not integrated, are not fully configured, or are not actively managed.

• Typical vulnerabilities include:
• incomplete patch management
• lack of multi-factor authentication
• inadequate backup strategies
• unclear authorisation structures

In this context, Securepoint deliberately refers to ‘cyber hygiene’ – that is, fundamental measures that should be implemented in every company. These include regular updates, proper password management and functioning data backups.

This point is important: before you consider new solutions, you should ensure that the basics are working.

One factor that is often underestimated in IT security decisions is the organisation’s own resources. Many strategies fail not because of the technology, but because of the implementation. The reason is simple: IT security is not a one-off project, but an ongoing operational state.

In concrete terms, this means:

• Systems must be monitored
• Incidents must be analysed
• Updates must be installed
• Processes must be reviewed regularly

The crucial question is therefore: Can we manage this internally – on a permanent and reliable basis?

This is not just a question of the number of staff, but also of:

• Expertise (e.g. incident response, forensics)
• Availability (24/7 vs. office hours)
• Process maturity (clear procedures in an emergency)

Many companies come to the conclusion that fully in-house operation is not realistic. In such cases, managed services or external partners are not a stopgap solution, but a strategically sound decision.

Choosing an IT security service provider is one of the most critical decisions in the entire process. At the same time, it is often made too superficially.

A key misconception is to evaluate the service provider primarily on the basis of technology or price. However, what really matters is something else: how well does the service provider fit your business model?

You should distinguish between two things:

• Outsourcing work (e.g. monitoring, operations)
• Outsourcing responsibility (which is often not legally possible)

Particularly in the context of the GDPR, responsibility generally remains with the company. This means you must ensure that your service provider meets the requirements – and can demonstrate this.

Another key consideration is the choice of financing model. Traditionally, a distinction is made here between purchase (CapEx) and rental or service (OpEx). In practice, however, this decision is more complex. This is because it is not just about costs, but also about flexibility and risk. When purchasing, companies make a one-off investment in hardware and licences. This offers control, but also requires dedicated operational resources and long-term planning.

Service models, on the other hand, offer:

• lower upfront costs
• greater flexibility
• predictable running costs

Securepoint demonstrates this approach, for example, with ‘Firewall as a Service’, where security solutions are provided as a service that can be cancelled on a monthly basis. The advantage is clear: companies can react more quickly and need to tie up less capital. The downside: it creates greater dependence on the provider. The right decision therefore depends less on price than on the company’s strategic direction.

A common mistake in decision-making is to consider costs in isolation, focusing solely on purchase or licence fees. A realistic assessment must take into account the so-called Total Cost of Ownership (TCO).

This includes:

• Capital expenditure
• Ongoing operating costs
• Staff costs
• Training costs
• Costs in the event of a breach

The latter point in particular is often underestimated. Security incidents cause not only direct costs, but also indirect damage such as reputational loss or contractual penalties. A well-informed decision therefore always takes risk into account – not just the price.

IT security decisions are always legal decisions as well. This is particularly true in Germany and the DACH region, where regulatory requirements are constantly increasing.

The most important regulatory frameworks include:

• NIS-2 (IT security requirements and reporting obligations)
• GDPR (data protection)
• sector-specific guidelines
• compliance requirements (e.g. GoBD)

These guidelines influence not only the choice of technologies, but also contract drafting, any documentation obligations and requirements for evidence.

An example: Cloud services often have to meet specific security standards. With the C5 catalogue, the BSI defines a framework that sets out minimum requirements for cloud security.

For businesses, this means that IT security cannot be decided in isolation. It must always be considered within the context of compliance.

Ultimately, it all boils down to one key insight: IT security is not a single product that you implement once and then consider the matter settled, but rather a holistic system. This system is made up of several interlinked components – the technology used, clearly defined processes, the people who implement these processes, and an overarching governance framework that sets out responsibilities, rules and objectives. A decision in the field of IT security is only truly viable if it takes all these dimensions into account. As soon as one of these building blocks is missing or neglected, gaps arise – and it is precisely these vulnerabilities that are specifically exploited in practice.

The quality of an IT security decision is not determined at the moment of selection, but during the preparation phase.

If you:

• understand your critical business processes
• have defined your actual requirements
• realistically assess your internal capabilities
• evaluate service providers in a structured manner
• take financial and legal aspects into account

… then you are not making an isolated IT decision, but a well-founded business decision.

And that is precisely the difference between reactive security and strategic IT security.

The second part of this article focuses on what matters most once the decision has been made: operations, organisation and continuous improvement.