A recent study showed that organizations spend less than 1% of company revenue on cybersecurity. This means that a company with 5 million dollars in annual revenue may spend $50,000 on cybersecurity per year. The question is not whether this small amount is "enough", but rather, is this money being spent in the right places?
Common cybersecurity spending mistakes are often made when organizations seek to purchase the latest firewall, antivirus, intrusion detection system, or security awareness training. Often times, IT Directors are given a set budget to spend on cybersecurity without a game plan. This equates to ill-advised purchases of technologies, software, and hardware that do absolutely nothing to raise the security bar.
So, where would I start?
If I were an IT Director or CIO and I had $50,000 to spend on cybersecurity for my $5M business, I would take a step back and think about what really matters to the organization. I would begin this journey by asking myself (and my staff) some fundamental questions:
- What makes the organization money?
- What type of data are we protecting?
- What would a breach do to the company?
- What are my regulatory requirements?
- What do we currently have that can be leveraged to protect us?
By the end of this exercise, I now understand what makes the organization profitable, what our data would be worth to attackers, what would be the impact of a data breach, what I am obligated to do by law, and what are the current security assets that I could leverage.
Now, what is my next move?
With the newly acquired information, I have a firm understanding that my company needs more protection. I may have PCI, DFARS, HIPAA, FFIEC, NERC, or other requirements but I do not have a game plan to address our overall security posture. I am also aware that my organization has sensitive data yet we have no control of our users and where they place data. I am understaffed and do not have the time to fix all of these things. However, I have figured out that spending $20,000 on a new firewall is not the best option for my company. I need an expert.
Whether the expert is internal or outsourced, you need a structured, trusted, and comprehensive program that is designed to minimize impact, bolster defenses, become compliant, and move the cybersecurity needle. This is where expertise and an unbiased perspective comes into play. The truth is that the vendor that is trying to sell you the next "blinking light machine" is likely not thinking in the best interest of your business—or your budget.
So, what is my course of action?
As an IT Director or CIO, my area of expertise is most likely not within cybersecurity, but in information technology. The two coexist and are certainly related, however each are their own individual science and require vastly different experience and skill.
I need a hero!
Let's say that I have $50,000—this is what I would do.
Year 1:
- Find a cybersecurity company that will become integrated with my company for a set number of hours each month and has a legitimate plan of attack. No, I am not talking about the IT service provider that you use for helpdesk outsourcing. I am talking about a company that eats, sleeps, and breathes cybersecurity. You need a cybersecurity hero.
- Make sure that the first thing that they accomplish is setting a baseline for your organization. This means conducting an initial assessment of your current state leveraging a trusted set of standards and industry best-practices. This is worth its weight in gold and gives both your organization and the provider a roadmap for raising the cybersecurity maturity level.
- Ensure that the new professional(s) understand business in addition to being technical experts. I cannot stress this one enough. Cybersecurity companies are not all created equal and what sets the best from the rest is breadth of knowledge across both technical and non-technical facets of risk, cybersecurity, privacy, and most of all, business operations.
- The new provider will be responsible for the creation of policies, procedures, baselines, documentation, and reporting for my organization. For example, on a quarterly basis you want the provider to present a report to you and your board of directors to show how their money is being well-spent. This is paramount to keeping the attention of those that have granted the money to you. If they see progress, this is their ROI. When boards are able to see their organization marching towards a more secure and compliant future, this signifies that the money is being spent in the right directions. Telling a board member how many Denial of Service attacks were blocked by your new firewall will not resonate as much as showing that you are now 100% compliant with a regulation or law.
- The provider should be vendor agnostic as well. Be wary of cybersecurity companies that bring lots of hardware and software with them without understanding what is best for your organization first. A cybersecurity provider cannot decide on every aspect of a complex cybersecurity program for your company based on an initial scoping meeting. The first year of the program should be designed to adopt a framework, set the baseline, build a foundation, construct an action plan, and integrate as one with your organization.
Year 2
By this time, your newly found cybersecurity champion has accomplished the following:
- Painted an accurate picture of your cybersecurity posture, business risks, technological landscape, data valuation, and has set goals for the organization.
- Adopted a trusted framework to follow. Whether this is PCI, DFARS, HIPAA, FFIEC, NERC, or others is determined based on a number of factors. The provider should have the expertise to determine the best route for your organization.
- Created an action plan and is continuously eliminating items on that list. These items can include the creation and adoption of security policies and procedures, reviewing potential software/hardware options, interviewing new IT and security staff members, and budgeting for more mature options as your cybersecurity program and business grow.
- Presented regularly scheduled reports to you and your board. These exercises should accurately relay risks, achieved mitigations, thwarted breaches, new exposures, and the continuously moving target of compliance. This is the return on investment for your cybersecurity program and is how you get more budget for next year.
- So, by this time your provider has mapped out the next year for you and has leveraged a trusted framework to get there. By performing due diligence and calculated movements, you have effectively turned your cybersecurity spend from a crapshoot into a laser-focused security operation.
Congratulations!
Your budget has now been increased from $50,000 in year one to $100,000 in year two.
Why?
Because, you now have a structured plan based on a trusted set of criteria and have avoided chaotically spending precious funds in random areas of cybersecurity. You have empowered a highly-trained, unbiased, and experienced professional or firm to bring you to a new level of cybersecurity. Your board sees your due diligence, has learned from the process, and has become personally invested in the cyber-success of the organization. They are no longer external spectators to the cybersecurity actions in the company, but are now active participants that feel included, informed, and educated.
The lack of understanding, prioritization, and transparency are what create low budgets for protecting your organization. With data breach stories flooding the news every day, organizations are not intentionally setting low budgets for you. They simply do not understand what they should be setting a budget for. It is up to you to educate them by implementing a structured approach, either internally or outsourced. You have now made the case to increase the budget based on the in-depth and precise continuous analysis that is being performed.
Pick your chess moves wisely and remember; even the organizations with the latest (and most expensive) firewalls, intrusion detection systems, antivirus, and SIEM tools are breached. Creating an effective cybersecurity program begins with choosing the right person or company for the job. You can buy all of the latest technology in the market only to become proverbial paperweights without the right resources and approach.
Start with the basics, take a step back, and spend your money in the right places.
To learn more about IGI's approach to managed cybersecurity, visit igius.com/managed-security/.