Protecting What Matters: Determining How to Allocate Your Cybersecurity Budget
How to spend your next cyber dollar is a question you’ve asked yourself, and has likely been asked by your leadership team. The answer to that question should actually be straightforward: if it isn’t, then you should be reflecting on your entire cyber maturity program – not just deciding on which purchase order to sign off.
Let’s explore what goes into putting together a cyber decision-making framework that will help you answer the “next dollar” question confidently and in a sustainable way.
Put simply, your next dollar should likely be spent on mitigating your highest risk. But determining your highest risk is not necessarily as easy as it sounds. There are a few elements that go into making this assessment.
What do you need to protect?
Developing an asset inventory is a crucial first step in developing your approach. Get a handle on all of the digital elements that sustain your enterprise – the ownership, the dataflows, the sensitivity and criticality of each resource. This includes physical assets, virtual assets, and data. This will help you define your “crown jewels” and give you a perspective on the appropriate level of security required for each category of asset. After all, you don’t want to spend $1M protecting an asset that’s worth $1K: a thoughtful and comprehensive analysis gives you an understanding of where to focus.
How ready are you to protect it?
Just as it’s key to understand what to protect, it’s important to gauge what defences you have at your disposal to protect those assets today. A gap assessment considers the basic controls you need for your industry sector and type of operation; it lays out how close you are to having all the “table stakes” security safeguards in place. For example, it will consider your EDR capabilities: how ready are you to detect and respond to potential cyber incidents at each endpoint? It will look at fundamentals like your incident response management capabilities. If you don’t have a defined and tested plan for responding to an incident, your other investments will not seem worthwhile when your operations are at a standstill.
Identify and close gaps
With your crown jewels documented, any security gaps identified, and a policy structure defined, you now have a clear idea of the current state of your security posture vis-à-vis your desired state of readiness. You can size up your existing controls against published policies, client contracts and your chosen framework, and develop your roadmap based on that assessment. Your roadmap takes the form of a set of prioritized work packages required to close gaps and strengthen your security capabilities. Where to spend your next cyber dollar becomes clear.
Investing that next cybersecurity dollar
Your roadmap is your guide: your budget is dedicated to addressing the exposures that create the greatest risk to your business. To make the most effective investments in your program, you work systematically through the list, which is prioritized in short-, medium-, and long-term initiatives. Both “low-hanging fruit” and high priority/urgency issues are identified, and a plan can be activated to mitigate those risks.
Your decision-making is sound, because it’s based on an actual assessment of your security posture and the best information you have available. With this framework in place, you have a well-reasoned, defensible answer on where to make your next investment, framed in terms of business risk management, not tech-speak that can be opaque to executives and board members.
Refining the roadmap
As your security program becomes more mature, additional assurance and assessment exercises will be part of your roadmap. They help validate that the changes you are implementing are sound. These activities can take many forms.
For example, a vulnerability management process gives you an approach for identifying, assessing, and prioritizing potential weaknesses across the enterprise, including endpoints, workloads, and systems. Penetration testing will validate the efficacy of your security capabilities and identify any gaps. Tabletop exercises and incident response testing will help you identify any gaps between your preparedness for various scenarios. Security awareness training and testing will highlight where your teams are “cyber ready”, as well as identify areas of improvement. The results of these assurance exercises may create changes to your roadmap – it’s all part of the process.
Meanwhile, a threat/risk assessment will help you understand your complete threat landscape: not only potential threat vectors, agents and scenarios, but also asset sensitivities, vulnerabilities, existing controls and their effectiveness. The result is a document detailing the likelihood and impacts of the risks that your enterprise faces. This big picture is vital to help you evaluate whether you have the people, processes, and technology to meet your potential challenges, and complements your roadmap.
A last word
Don’t forget that this is not a one-and-done exercise! It is important to repeat the process regularly, at least once every few years. Recognize that your business never stands still: business imperatives change, systems come and go, the threat landscape and compliance requirements constantly evolve. Your risk profile will take different shapes as your business grows or changes course. With each iteration of your analysis, you will gain a better understanding of your environment and priorities, positioning you to continuously improve your cybersecurity posture.
We’re here to help
If you need help developing your cyber strategy, ISA Cybersecurity is here to help. Experienced, unbiased, and professional, we can help you understand, prioritize, and address your cyber risks, letting you confidently move forward in maturing your cyber programs and ensuring that you get maximum return on that next dollar of security investment.
Contact us today for more information.