Although things have started to come back to life after COVID-19, many companies are still tightening their Cybersecurity budgets, with perhaps only modest increases being granted.
So now the question arises, “How can a chief information security officer (CISO) wisely spend their limited resources, while fighting all of the battles they have to deal with to keep their company’s systems secure?” This article will help to answer that question.
How To Stretch Your Cybersecurity Budget
The money in your account can be used on just about anything that you see fit to shore up the lines of defense for your business. But if you have a limited amount of dollars to spend, you need to make sure that every dollar is being spent as wisely as possible. This can be compared to an asset allocation exercise in which you have three main segments of the “pie” that require funding:
- Your people
- Your technology
- Your processes
The bottom line is that all companies all at risk of becoming a victim of a Cyberattack. The key is how to mitigate that risk as much possible, which in turn, will lead to a proactive mindset and culture in your business. This is how your budget can be most effectively used. In order to make this happen, as CISO, you need to focus on the following:
- Conduct a Risk Assessment Study. This allows you and your IT Security team to take a comprehensive look at all the assets in your company, both physical and digital, with a greater emphasis on the latter. Digital assets are, of course, more prone to Cyberattacks. After you have taken stock of all of these assets, you will then assign a score to each and every one of them. This score represents just how vulnerable they are to a security breach, if it should occur. For example, you could use a simple scale such as 1-10, where “1” represents the least vulnerable, and “10” represents the most vulnerable. Next you need to come up with a plan for leveraging your existing security technologies to protect your most vulnerable assets. Until now, many CISOs believed that simply investing in the latest security tools, in a larger quantity, will protect those vulnerable assets. In other words, they believed that there was safety in numbers. But this is now proving to be a fallacy. For example, by simply deploying a large number of tools in a haphazard fashion does nothing more than increase the penetration surface for the Cyberattacker. Also, with the plethora of false positives coming in, this can lead to what is known as “Alert Fatigue” for your IT Security team. In the end, it can also be a huge drain on a limited budget. The new line of thinking that is being adopted is to maintain a strong Cybersecurity posture by deploying fewer tools but putting them in the strategic positions where they are needed the most. This approach will yield a much better ROI, and chances are you will gain a greater influx of money into your budget over time.
- Run effective security awareness training programs. Just about every CISO has heard about the need for Cybersecurity Awareness Training programs for all the employees in their company. However, many of them have proven to be ineffective simply because employees don’t care about putting into practice what they have learned. Some security awareness training programs aren’t comprehensive enough for employees to retain what they have learned. The two common reasons for this failure is that the training was only given once and/or it was probably too detailed and technically-based to keep the employees engaged. There is a to way to deliver an effective training program while spending less money. The key is to make it much more stimulating, while maximizing what is taught in a shorter time span, in order to maintain the interest and motivation level of your employees. Here are some strategic tips that will increase the ROI that you will garner from such training programs:
- Use gamification. In this approach, you split your employees into small teams and instill a fun and competitive environment throughout the training. For example, you can award points, certificates, and badges to teams that accomplished their tasks successfully. For example, you might assign each team to recognize a Phishing Email and take the steps to mitigate that risk of spreading over a short period of time.
- Make the messaging relatable. It’s one thing to talk in theoretical terms about the ramifications of a Ransomware attack, but it is another to bring in an individual who has been directly impacted by such an attack. Let your employees hear about the situation and the effects that came as a result. Allowing employees to ask the victim questions at the end will result in training that resonates with them and lasts longer.
- Implement the Zero Trust Framework. The common mantra over the course of this year thus far has been to make use of what is known as “Two Factor Authentication” or “2FA” for short. In this approach, you implement two layers of authentication to prove the legitimacy of the employee that is trying to gain access to your shared resources. However, this is starting to lose ground quickly, as Cyberattackers are even breaking through this. Now CISOs are giving very serious thought to deploying a “Zero Trust Framework,” a methodology that:
- Makes use of multiple lines of defense instead of just one (which is very often referred to as “Perimeter Security”).
- Assumes no level of trust whatsoever, from people internal and external to your company.
While the Zero Trust Framework may seem to be a bit extreme, businesses have started to use this methodology. But once again, if you, as the CISO, decide to implement this for your company, there is no need at first to spend extra financial resources to get new security tools and technologies. All you really need to do is realign your existing arsenal in order to provide for at least three or more layers of authentication, which is what is required. But if it turns out that you need more equipment, you should only place them where they are needed the most.
- Implement KPIs in order to gauge the true effectiveness of your IT Security team. You should also implement some metrics and Key Performance Indicators (KPIs to accurately gauge if you are spending your Cybersecurity money wisely. It all comes down to how well your IT Security Team is responding to, and mitigating, the threat variants. Here are some KPIs you should keep track of:
- The Total Mean Time to Detect: This KPI reflects just how quickly your IT Security Team will actually detect a threat vector once it has become known. One way to improve this score is to implement an Artificial Intelligence (AI) software package which can filter out false positives and only present the real warnings and alerts through a Security Incident and Event Management Tool. Many of these AI packages are hosted, making them extremely affordable for tight budgets.
- The Alert Time to Triage: This metric reflects how long it takes your IT Security Team to triage the highest priority alerts and warnings, then escalate them up to the Incident Response Team.
- The Threat Time to Recover: This KPI demonstrates how quickly your IT Security Team (as well as IT Department) restores mission critical operations after being impacted by a security breach. One of the most cost-effective ways to keep this total number down is to have a rock-solid Disaster Recovery Plan in place, and rehearse it on a regular basis, at least once a quarter.
Overall, this article has examined some of the key steps that you, as the CISO, can take to maintain a proactive security posture and still stay within your budget. It is imperative that you stop believing that just because your company has never come under attack, it never will. The moment you let your guard down, the more likely your chances of being hit, and the costs of damage and recovery will almost inevitably far outweigh the Cybersecurity budget that you already have.
Ravi is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas.Tech, Inc. He is also studying for his CompTIA Security+ Certification.