10 min read
Success starts with a well-planned strategic budget. Face the fear…now’s the time to plan for powerful yet practical cybersecurity.
As the owner of your organization’s cybersecurity operations, you’re facing some major challenges:
- Cybersecurity may be perceived as a cost center instead of a revenue enabler.
- Cybersecurity is complex and ever-changing.
- Cybersecurity vendor fragmentation leads to buyer hesitation and implementation frustration.
Fear, uncertainty, and doubt are all normal experiences for IT pros trying to plan out their cybersecurity budgets, but it doesn’t have to be the norm. Cybersecurity success starts with a comprehensive plan that covers you today, with an eye on flexibility and adaptability for tomorrow.
So, how do you overcome these challenges, get budget approval, and start executing?
Challenge #1: Cybersecurity Vendor Fragmentation
Begin identifying your solution needs by these four components below to give context to the board and management as to what is involved in a comprehensive cybersecurity plan.
At last count, the cybersecurity market is made up of hundreds of technology vendors covering over a dozen categories. In a market where technology hype changes constantly, and mergers and acquisitions are rampant, how do you architect a cybersecurity plan and budget that is focused on outcomes that can also be implemented reliably? We recommend using the Defense-in-Depth approach and planning by these four areas:
- Predict: Focus on the capabilities necessary to identify your assets, gather and leverage global and local threat intelligence, and instill rigorous vulnerability management practices.
- Prevent: Optimize your capabilities to stop most cyber attacks through advanced endpoint protection that leverages deep learning to stay ahead of constantly mutating malware and ransomware.
- Detect: With your attack surface reduced through powerful prediction and prevention, ensure you have absolute visibility of your network, your cloud environments, and your endpoints. Extended Detection and Response (XDR) should be paired with the MITRE ATT&CK framework to automate and improve correlation and alert context.
- Respond: Visibility, coverage, and accurate alerting is nothing without a diligent team ready to respond around-the-clock with a rehearsed incident response plan.
Remember, without all four of these “walls” of your cybersecurity operations, the other three are guaranteed to fail at keeping cyber attacks at bay.
Budget Efficiency Tip: Cybersecurity costs are frequently exacerbated by choosing too many separate point-solutions that are costly to integrate and lack economy of scale. Consolidate where you can. Whether that be a platform that delivers on all four core capabilities, or a managed service that delivers the platform and people – or both.
Challenge #2: Completeness and Adaptability
It is crucial that your cybersecurity solutions work in real-world scenarios and aren’t rendered ineffective by A) limitations of your staff, B) business needs of your network, or C) an inability to keep pace with the ever-changing threat landscape. Keep in mind that many cybersecurity technology vendors will tout lab testing results that conflates efficacy (performance in a controlled environment) with effectiveness (performance in real-world conditions).
Review your proposed solutions based on completeness and adaptability. Does the solution require you to provide unrealistic expertise and resources to maintain, tune, and tweak? Can the solution easily deploy new security controls without arduous manual configuration changes or rip-and-replace upgrades?
To be complete and adaptive, identify your solution needs by both platform (technology) and people (in-house staff and augmentation) to show the board and management that there is no “silver bullet” technology, but rather, a required combination of human and machine intelligence.
- Platform: The technology required to deliver a defense-in-depth cybersecurity operation.
- People: A combination of in-house staff and external expertise to guarantee coverage and skill at every stage of a cybersecurity incident.
Challenge #3: Cybersecurity Culture and Perception
Your most difficult challenge may be addressing the misperception of cybersecurity as a cost center and not as investment protection or as a growth enabler. In an increasing digital world, cybersecurity measures should be commonplace. The “attack surface” is nearly everything today – mobile and IoT devices, plus remote work is exploding. So, the question is, how do you address a culture that would want to know the least you can do verses how to ensure that customers and revenue are protected while being able to innovate without interruption?
This challenge is certainly one that will require sophisticated communication and presentation skills. The greatest of cybersecurity plans and cost-effective budgets can die with culture and perception challenges. So, how do you get past this last hurdle?
- Communicate risk in terms of both impact and probability. Too many times, cybersecurity leaders will focus on communicating impact statistics and what the cost of a breach, both direct and indirect, will be to an organization. However, by not addressing probability, the argument is dismissed and cannot be countered. Don’t let the “it won’t happen to us” deflection kill your budget proposal. Have relevant statistics to illustrate just how likely it is to “happen to us”.
- Get leadership to articulate their risk tolerance. With both impact and probability data in-hand, now your leadership group has to make a clear-cut decision about their risk tolerance. Are they OK with an X-percent chance of an incident that can cost Y-dollars to remedy and Z-hours in productivity? This makes the situation undeniably real and forces the inconvenient problem to be confronted.
- Position cybersecurity as both a risk mitigation and growth enabler. The leadership group should also be asked if they would agree to invest your proposed amount to mitigate that risk and ensure productivity and innovation plans for the coming year are not interrupted?
Cybersecurity Budget Matrix
While simple in nature, this view helps illustrate the need for a cybersecurity capability at every stage of the threat lifecycle with both the technology and human resources to operationalize it. It also helps to break down a seemingly large single figure into distinct categories that communicate a tangible value to the board and upper management.
| Predict | Prevent | Detect | Respond | TOTAL | |
|---|---|---|---|---|---|
| Platform | Vulnerability Scanning, Threat Intelligence | EPP, FIM, Application Control | SIEM, UEBA, NTA, IDS | XDR, SOAR | $ |
| People | Vulnerability Management | Malware Analysts | Threat Hunting | Security Analysts | $ |
| TOTAL | $ | $ | $ | $ | $ |
When you pair this cost with the Risk Impact and Risk Probability a more productive conversation can take place around where, if anywhere, budget allocations may be reduced – by capability (Predict, Prevent, Detect, Respond) or by resource (Platform, People).
Your cybersecurity budget planning efforts must be linked to your unique situation in-house. Seek ways to break down barriers by leading with the most pressing concerns of leadership. This isn’t always a simple process. It may take a year of building relationships, socializing ideas, and planning. But when you stay the course with regard to what’s best for your organization, while carefully making the case based on your organization’s needs, you will fly over hurdles.
