How do you prioritize your cybersecurity investments?
Sort By:
Oldest
CIO6 months ago
To complete Richard's answer and to my opinion, there are three important criteria:1. Cost reduction;
2. Risk reduction;
3. Increased income.
The answer has a lot to do with project portfolio management. Normally a specialist in this field will tell you that you must prioritize projects in a portfolio according to 5 factors:
1. Strategic alignment;
2. Commercial value;
3. Available resources;
4. Risks and dependencies;
5. Deadlines and schedule.
In my opinion, cybersecurity initiatives can be incorporated into several portfolios. But the idea remains the same:
Whether by your assessment of your posture, by the result of your risk assessments or by the nature of your incidents, you will be able to prioritize initiatives according to the level of risk. To this end, you will be able to give more points to initiatives that often reduce costs or increase your revenue (such as obtaining ISO-27001 certification if this is required of your customers). I also like to give weight to initiatives that support the business or achieve business objectives (Strategic alignment). Finally, certain changes can be made in your program depending on the available levers or current opportunities (availability of human resources for example).
CISO in Energy and Utilities6 months ago
Quite simply put, I look at protecting our "crown Jewels" first. Principle Consultant in IT Services6 months ago
Nikk, I agree with you. I have seen too many programs just try and protect everything instead of focusing on what is important to the business!
CISO in Government6 months ago
Risk based approach to build out a long-term strategy based on gaps/findings/maturity assessments and as I'm sure many others will echo, sometime overrode by the "we have the funding, and this project has visibility"
But the pragmatic reality is simple: your investment priorities must be ensuring you have the fundamentals covered before moving onto the shiny things.
If you don't have a mature practice around the fundamentals, that's where your priorities must start. If you have all those ducks in a row, and are ready to push forward, some key thoughts:
1. I'm not investing in a new tool or program unless there's a reasonable expectation that I can replace/merge two or more existing products in my stack. New products that can demonstrate that capability is getting bumped up the priority list.
2. Vendor support: how are my staff getting up to speed on the usage and operation of a new investment? If the selling vendor(s) don't have a comprehensive (ideally baked into the total cost) training program, then it's not going to be an easy sell.
3. What business need or risk am I really treating here? Do I have a very specific answer? If no, then I need to ensure I'm actually investing in something worth investing in.
4. How much time are my teams going to need to invest in operationalizing this investment? Am I looking at a multi-year project or a multi-month?
5. How does this align with my long-term roadmap?
6. What's the true cost? Vendors will not always be totally upfront. Find intel from other users to see if the actual cost maps to the numbers you were given.
That's just off the top of my head part of the calculus I use to decide if something's worth digging into.