It’s expected that the remote workforce will continue well into 2021, and perhaps beyond. In fact, many businesses in Corporate America are now letting employees WFH forever, or as long as they want to. With this, there also has been a huge tightening of cybersecurity budgets, with perhaps only modest increases being given out.
So now the question arises, how can the CISO wisely spend their limited resources, while at the same time, put out daily fires and align with their company’s strategic objectives? This is focal point of this article.
How CISOs can maximize their budgets
The cybersecurity budget can be used on just about anything the CISO sees fit in order to shore up the lines of defenses for their business. But remember, CISOs only have a limited amount of dollars that they can spend, so they need to make sure that each dollar is being spent as wisely as possible. This can be compared to an asset allocation exercise, where they have three main parts of the pie that need funding:
- Your people
- Your technology
- Your processes
The bottom line is that we are all at risk in becoming a victim of a cyberattack. The key is how to mitigate that risk, which in turn, will lead to a proactive mindset and culture in your business. This is how your budget can be most effectively used. In order to make this happen, as CISO, you need to focus on the following:
(1) Conduct a Risk Assessment Study: When doing this, you and your IT Security team are taking a comprehensive look at all the assets that you have in your company, both physical and digital, with an emphasis more on the latter. The reason for this is that this grouping is more prone to cyberattacks. After you have taken stock of all of these assets, you will then assign a score to each and every one of them. This score represents just how vulnerable they are to a security breach, if it should occur. For example, you could use a simple scale such as 1-10, where “1” represents the least vulnerable, and “10” represents the most vulnerable. After you have conducted this, you then need to come up with a plan as to how you can leverage your existing security technologies to protect those most vulnerable assets. So far in Corporate America, the common thinking of CISOs was that simply investing in the latest security tools in a larger quantity would do this. In other words, the belief was that there was safety in numbers. But this is now proving to be a fallacy. For example, by simply deploying a large number of tools in a haphazard fashion does nothing more than increase the penetration surface for the cyberattacker. Also, with the plethora of false positives coming in, this can lead to what is known as “Alert Fatigue” for your IT Security team. In the end, it can also be a huge drain on your limited budget. Now, the line of thinking that is being adopted is to maintain a strong cybersecurity posture by deploying fewer tools, but putting them in the strategic positions where they are needed the most. With this, not only will you get a much better ROI, but chances are you could even a greater influx of money into your budget over time.
(2) Have security awareness training programs: Just about every CISO has heard about the need for Cybersecurity Awareness Training programs for all the employees in their company. However, many them of them have not proven to be effective yet, simply because people do not care about putting into practice what they have learned, if the program was even comprehensive enough for them to retain the training after it ended. The two main reasons for this is that that while a lot of money may have been spent for the training program, it was only given once. Also, it was probably too detailed and/or technically based, which lost the interest of the employees. There is a way in which you could get the impact of a training program to run deeper while spending less money. The key is to make it much more stimulating, while maximizing what is taught in a shorter time span to keep up the interest and motivation level of your employees. Here are some strategic tips that will prove its worth in terms of the ROI that you will garner from these kinds of training programs:
- Make use of gamification: This is where, throughout the training, you break your employees up into small teams and instill a competitive type of environment. For example, you can award points and certificates/badges to those teams if they have accomplished their tasks successfully, such as recognizing a Phishing Email and taking the steps to mitigate that risk of spreading over a short period of time.
- Making the messaging relatable: It is one thing to talk about the ramifications of a Ransomware attack, but then it is another to bring an individual that has been directly impacted by it, and how it has affected their lives. Let your employees hear about the situation and the effects that came as a result. Plus, they can ask questions at the end that will resonate with them, making the impact longer lasting.
(3) Implement the Zero Trust Framework: The common mantra over the course of this year thus far has been to make use of what is known as “Two Factor Authentication”, or “2FA” for short. With this, you are implementing two layers of authentication in order to prove the legitimacy of the employee that is trying to gain access to your shared resources. However, this is starting to lose ground quickly, as cyberattackers are even breaking through this. Now CISOs are giving very serious thought to deploying the “Zero Trust Framework”. This methodology is two-fold:
- It makes use of multiple lines of defense instead of just one (which is very often referred to as “Perimeter Security”).
- It assumes no level of trust whatsoever, from people internal and external to your company.While the Zero Trust Framework may seem to be a bit extreme, businesses have started to use this methodology. But once again, if you, the CISO, decide to implement this for your company, there is no need at first to spend extra financial resources to get new security tools and technologies. All you really need to do is realign your existing arsenal in order to provide for at least three or more layers of authentication, which is what is required. But if it turns out that you need more equipment, you should only place them where they are needed the most.
(4) Implement KPIs in order to gauge the true effectiveness of your IT Security team: You should also implement some metrics and Key Performance Indicators (KPIs), or Cybersecurity Performance Indicators (CPIs) as we like to call them, in order to truly gauge if you are spending your cybersecurity money wisely. It all comes down to how well your IT Security Team is responding to the threat variants and mitigating them as quickly as possible. Here are some ones that you should keep track of:
- The Total Mean Time to Detect: This KPI reflects just how quickly your IT Security Team will actually detect a threat vector once it has become known. One way to improve this score is to implement an Artificial Intelligence (AI) software package which can filter out the false positives and only present the real warnings and alerts through a Security Incident and Event Management Tool. Many of these AI packages are hosted, making them extremely affordable for tight budgets.
- The Alert Time To Triage: This metric reflects how long it takes your IT Security Team to triage the highest priority alerts and warnings, then escalate them up to the Incident Response Team.
- The Threat Time To Recover: This KPI demonstrates how quickly it takes for your IT Security Team (as well as IT Department) to restore mission critical operations after being impacted by a security breach. One of the most cost-effective ways to keep this total number down is to have a rock-solid Disaster Recovery Plan in place, and rehearse it on a regular basis, at least once a quarter.
Overall, this article has examined some of the key steps that you, the CISO, can take to maintain a proactive security posture within your budget. It’s imperative, at this point in time, that you get away from the thinking that if your company has never come under attack, that it will never will. The moment you let your guard down like this, more than likely you will be hit, and the costs of damage and recovery will almost inevitably far outweigh the cybersecurity budget that you already have.
of CnSight to learn how it can help you increase your cyber efficiency and performance.