How can leaders improve their cybersecurity posture when dealing with budget constraints?
Sort By:
Oldest
CISO in Software2 years ago
There is always a price to pay for Security. The price is either monetary or in terms of time , effort, and process overhead. The question is, what can you afford? For the most part, significant savings in cost can be achieved by1. tool rationalization or ensuring that you are getting the maximum from any tool/technology that you are already using by leveraging all features that it has to offer. There have been circumstances where we have leveraged L3 switches and Routers with the right configurations as basic firewalls.
2. Implement stringent processes - a lot of tools are focused on automation and workflows for activities that can be completed with discipline and process rigor (e.g. privilege management can be significantly covered with stringent authorization and approval processes, following the principle of least privilege by design, and regular access reconciliations) to make this scalable we move to the next point
3. tying in accountability of security with critical stakeholders. This helps you scale any manual processes you might have given that the organization is committed to the security program and the only challenge is the budget. Accountability reviews can be covered by periodic audits.
4. Qualitative Risk mgmt and Compliance management as an example can be done manually as long there is a structure and defined framework.
At the end of the day, let us face it, convenience and speed cost money! Quality can be achieved with some rigor in processes. The program leader needs to verify which luxury the company accord to the security program.
CIO/CISO in Healthcare and Biotech2 years ago
Although you do need to invest in tools and controls to fortify your posture, I would argue a great deal of tools purchased are to mask gaps in end user empowerment and engagement in your posture, as well as gaps in process/policies. You don't need a great deal of monetary investment to shore up these two critical areas.Director, Security Operations in Telecommunication2 years ago
Even with limited budget, there's much that can be done - start by focusing on the basic blocking and tackling, such as understanding the environment/asset inventory, keeping up with vulnerabilities and patching (this should include some form of scanning, of which there are several tools available at low/no cost), ensuring that you have solid policies in place with a focus on credential protection and system backup and restore.Director of Information Security in Energy and Utilities2 years ago
Others already provided you with some strategies and approaches to your question. Before you spend a dollar of your budget or a minute of your staff in the name of security, I would ask these three questions:1) What is the risk?
2) Is it the biggest risk?
3) Is it the most effective way to address that risk?
I try to take a multitude of perspectives against what I'm doing to see where I might have a weakness. We look at it from a defense in depth perspective: How many layers of protection do we have in place? We look at it from an identity management perspective: How do we know the people that come into our IT systems are the right people, with the right devices, at the expected locations? A resilience perspective could be a third way to look at it: if all that fails, how am I protected in terms of backup/restore for business continuity? Speed is another factor. How quickly could I detect an issue, or potential issue, and then how quickly could I respond?
I'm always trying to search for new perspectives as well: What do other industries do? The financial industry is a huge target for a lot of attacks, so who are the biggest targets and what are they doing to protect themselves? What tools are they using? What's their philosophy? I try to put myself in their shoes and see how that impacts my company, my industry, and how I'm doing things. Benchmarking plays into it a bit, but it's more about seeing the approaches taken by my peers and how theirs differ from mine. Could I do something the same or similar? Could I take that approach and add something more onto it, so I’m ultimately a harder target and not worth the effort?
I think the answer is to focus on the basics first, things that should already be in the budget — system patching and maintenance, backups, encrypting your data, multi-factor authentication for remote and administrative access to systems, and security training and communication with the business to keep the risk top of mind. Then build out your security program from there.