How to make an effective case for increasing the security budget
Even though security exploits frequently consume the headlines of technology blogs and news outlets, CIOs may find it difficult to adequately fund cybersecurity programs. There is no doubt that an exploit could debilitate a business.
In addition to obvious brand degradation, subjugated organizations frequently incur legal fees, hours of overtime remediating issues and difficulty making other deadlines. This is a nightmare for any organization, so it’s worth the effort to explore how a CIO can create a convincing case for funding cybersecurity activities.
Put simply, a successful cybersecurity program incorporates knowledge about threats and implements controls which reduce if not mitigate their risk to business. Additionally, reliable cybersecurity programs depend on a concerted effort by the entire organization to assimilate security activities into business processes. Unfortunately, building or maintaining a mature cybersecurity program also requires investing resources throughout the organization that support security initiatives.
Seasoned technology professionals (especially those who have read No Silver Bullet – Essence and Accident in Software Engineering, by Frederick Brooks) agree there is no one solution that solves an organization’s security woes. Essentially, there is no one resource, tool or methodology that can be implemented which miraculously causes a company to be secure.
Having an effective cybersecurity program starts with analyzing what is important to an organization and understanding what would be useful to an attacker. Then, using that knowledge, create a program that is responsible for hardening the security posture of those areas. However, resources must be dedicated to the program so that security controls will effectively reduce the chance of an exploit.
Later, perform regular audits to review security controls; this will help maintain the cybersecurity program and supply auditors with reports if a review is requested.
A well-organized team may implement several security controls to follow industry best practices or least privileged access model. For example, an organization may implement a 24x7 system monitoring service to proactively analyze potential threats. Nevertheless, the cybersecurity program needs resources that can configure and analyze the service to utilize it effectively.
Similarly, this example articulates why it is important for program members to update their knowledge regularly and disseminate it to stakeholders throughout the organization. Because, the resources that run the monitoring service need the necessary information to either perform an action or make a recommendation based on the output.
These types of training may target cybersecurity team members or even personnel that have access to important systems. Moreover, internal trainings should include information from reviews, updated business processes and implemented tools so the entire team can acknowledge the organizational security pursuit.
With the inherit risk of an exploit so high and the numerous complexities of a cybersecurity program one might think that companies are adequately funding these initiatives. However, the data from our research, conducted in early 2017, backs up the assumption that many cybersecurity programs are underfunded and understaffed.
The survey results are revealing: 86 percent of respondents said that cybersecurity is underfunded at their organizations; further, less than 10 percent of their IT budget was being designated for cybersecurity. Additionally, 75 percent said they have two or fewer dedicated security professionals. Nevertheless, hiring experienced cybersecurity analysts is a budget item that isn’t feasible for many businesses.
A variety of factors affect the affordability issue, but the lack of availability with the cybersecurity professional community also compounds the problem. One source, the Global Information Security Workforce Study, released in June 2017, that found the cybersecurity workforce gap is on pace to hit 1.8 million in 2022, a 20 percent increase since 2015.
The lack of cybersecurity funding combined with too few trained cybersecurity analysts and engineers adds up to an IT security disaster. This assumption is shared by 56 of those surveyed who said their companies are underprepared to identify and respond to a security incident, while 45 percent believed their organization suffered a breach in the past year.
Educating stakeholders of the tremendous risks that exploits and breaches pose to the health and success of the business is one of the greatest challenges CIOs and CEOs face when allocating resources to meaningful and effective security initiatives. Documenting and providing formalized training about the company’s data assets and how they should be accessed is the first step in understanding abuse cases, both internal and external, and the inherit risks associated with protecting sensitive information.
The next step, which typically separates the more mature security practices from those in their infancy, is to document the security controls and threshold normal business operations so the company can quickly identify and mitigate threats that may exploit vulnerabilities in those operations.
The board and CEO need to understand these threats to they can make decisions that are in the company’s best interest. Since most of the time these meetings revolve around market and business risks, cybersecurity needs to work hard to get a seat at the board meeting. To do this IT management needs provide solid data points that point to associated security risks. Cost is one of these associated risks that can’t be ignored.
The 2017 Ponemon Institute Cost of a Data Breach study found the average cost of a data breach is $3.62 million, with U.S. companies facing the highest cost per record and per incident. Providing detailed data points on the financial fall out from a data breach will go a long way in making the case in a way the CEO and board will completely understand that increasing the investment in cybersecurity defense is necessary to mitigating exploits.
Evaluating whether cybersecurity should be managed in-house, outsourced, or a combination of both is a decision based on a variety of factors, including whether sufficient resources are being allocated to support cybersecurity defenses, technologies, and initiatives. Organizations that manage their security in-house tend to be more narrowly focused on hardening and enhancing current business operations and have the resources to do so.
Whether organizations decide to outsource cybersecurity to service providers that specialize in tracking and prioritizing threats or whether this important function is managed in-house, it all comes down to whether the CEO and the board all agree that company cybersecurity posture is a priority and, in the end, the budget reflects this priority.