How to Prioritize Your 2021 Cyber Security Budget – 5 Tips for CISOs

How to Prioritize Your 2021 Cyber Security Budget – 5 Tips for CISOs

By Tony Velleca

September 14, 2020

Our security needs have grown this year – yet, security budgets in the current economic climate are tighter than ever. 

According to a recent mid-year survey by Cyber Security Hub, 67.37% of cyber security budgets stayed the same or slimmed down in the last six months; and only 38.42% of CISOs interviewed expect their budgets to increase in the next six months. This is the reality despite the fact that, along with the rapid, worldwide spread of COVID-19, the number of cyber attacks has gone up.

So, how do you reduce your security risk in turbulent times with such limited spend? Without the budget, tough choices need to be taken. Here’s a quick look at the specific perspectives and interests of CISOs on the one hand and of the C-suite on the other hand – and some insight on how to bring these differing viewpoints together to get the most out of your budget for 2021.

1. Adapting to the Sudden Changes of COVID-19

The C-suite looks at things from a different perspective. The language is the language of risk – and cyber security is a top 3 risk category. Regulatory compliance, for example, is simply one of the risks – and many of these risks have changed suddenly as a result of COVID-19. 

The current language centers around the projects and the technology roadmap – for example, the implementation of Identity and Access Management (IAM), Endpoint Detection and Response (EDR) or Data Loss Prevention (DLP). This is happening too slowly, and last year’s roadmaps are likely obsolete. 

As companies have accelerated their digital strategies – and employees and third parties are working remotely – the risks have changed, particularly as much of the focus last year was based on privacy (e.g., GDPR). 

2. Understanding Your Spend from a Risk Perspective

Stated differently, perhaps, the C-suite must focus on making sure security investments directly reduce business risk in a way that can be measured and explained. 

Looking at risk like an insurance company means understanding the loss events, and mitigating as much of this risk through technology, process and training – then potentially purchasing an insurance policy for the residual risk. 

The C-suite will allocate more budget – if they can see the value in terms of risk. This is an important point because, while many see the Managed Security Service Provider (MSSP) market becoming increasingly commoditized, price is not necessarily the determining factor.

Cyber Security Budget

What’s key is to use a scenario-based approach to identify the risks associated with a top loss event. This approach evaluates the various approaches an attacker might use to achieve the loss event and identifies the prevention, detection and response strategies most prudent to achieve “acceptable loss.” 

Based on this information, we facilitate a business-oriented prioritization of each customer’s investment in detection & response. 

3. Assessing your Security Portfolio from a Risk Perspective

In the past three years, most CISOs have tried to capitalize on the many security innovations in a fast-changing market. Our experience is that many are now trying to understand the effectiveness of this portfolio – and reprioritize spend based on today’s business risks.

A company’s security portfolio is often a multi-layer “cake” of technical solutions in various states of adoption. The technology landscape is so dynamic, that this is changing in a matter of months. It is just as important to clearly explain if the existing spend is performing – as it is to propose new spend.

Our findings show that often 20–30% of technology spend may be removed with little impact on the risk surface. Organizations that adopt a scenario-based approach can assess the cost-benefits of the current technology investments – and make recommendations to optimize their security operations in accordance with these assessments.

4. It’s Not “If” but “When” – Cyber Security Looks More Like Disaster Recovery

As the attack surface expands due to the number and type of devices, and as employees and third parties work from home – and applications move from the data center to public clouds – security operations become more important and more complex. At the same time, the number of sources like Endpoint Detection and Response (EDR) and User and Entity Behavior Analytics (UEBA) is increasing, generating more alerts and exponentially more work. 

Many CISOs are losing sleep over the growing talent shortage and are therefore seeking to increase and improve security automation in order to reduce reliance on human security analysts for repetitive, high volume tasks. 

Others are interested in aligning security operations with IT processes via orchestration to drive down the response time. 

This is leading the trend toward handling the constant increase in cyber security threats through security orchestration, automation, advanced analytics and proactive threat detection and threat hunting. The key here, however, is not the technology but the security operations process or security "use cases" - including digital playbooks - and how well these are performing.

To explain the value of this approach means looking at a new set of metrics to help understand the value of security operations from a risk perspective. MITRE’s Attacker Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a powerful tool for improving cyber defense by creating a smarter security operations center (SOC). 

CP-Ft-SANSMitreReport-202007

SANS Mitre Report

THE ULTIMATE GUIDE
MEASURING AND IMPROVING CYBER DEFENSE USING THE MITRE ATT&CK FRAMEWORK

5. EXPLAINING CYBER SECURITY BUDGET- MAKING THE COMPLEX SIMPLE

For CISOs, a key part of the job involves making sure the C-suite understands what gaps exist – and the risk they pose. 

That said, everything must be put in context. This means not only speaking the language of risk, loss events and attack scenarios but it also means understanding what is classically referred to as risk appetite: aligning risk to the corporate strategy. 

We can think about this in terms of a small set of key questions to make sure we have alignment. Here are some of those questions:

  1. As a company, do we want to be better than, at par, or less concerned about security risk than our competition?
  2. Are we currently ahead of, at par, or behind our competition?
  3. What are the new security risks (loss events) and what does this change in our approach?
  4. For aspiring digital companies, is cyber security an important part of our brand value proposition?
  5. For key loss events, what is considered to be an acceptable loss?
  6. In terms of risk (key loss events), where do we need to be in the next 6, 12 and 18 months? 

ALIGN WITH YOUR BUSINESS OBJECTIVES

Question: Are you requesting a budget – or are you partnering with the business? 

CISOs can develop a better integrated ecosystem for cyber security operations by working in close collaboration with the C-suite. 

Cyber Security Budget

Discussions need to center around issues such as: What’s your organization’s appetite for risk? Where will investments make the biggest impact? How do you get more value from existing investments?

Thus, as CISOs, it’s essential to explain how your team is addressing gaps in the existing security ecosystem. It’s your job to make sure that everyone in the organization understands how each cyber security team member is connected to the organization’s goals, and delivers on its value proposition.

We’d love to hear from you! To learn about how CyberProof is working with CISOs across the globe in strengthening cyber security ecosystems, please contact us.

Tony Velleca
Written by Tony Velleca
Tony is CyberProof’s CEO and is CISO at UST Global. Tony previously co-founded and was CTO at huddle247.com, rated by PC Magazine as one of the top virtual workspace solutions in 2000. He previously worked for Boeing and Rolls-Royce, Inc. focusing on conceptual design and optimized propulsion systems for next generation aircraft. He holds a BS degree in Aerospace Engineering from Georgia Institute of Technology and an MBA from University of California, Irvine.