Money might make the world go round, but how do you keep the security wheel turning when finances are tight? Michael Hill explores.
It is commonly understood that security leaders can face difficulty in effectively spending their budget; it’s undoubtedly a significant challenge. Securing a company from various modern-day cyber-risks has never been a more nuanced task, and even if the finances available to do so are handsome, the most extensive information security program in the world won’t combat every single cyber-threat out there.
When funds are modest, that difficult task can seem even more complicated, intensifying the importance of making the right investments in the right products, services and training, and heaping pressure on the decision-maker to achieve return on financial outlay without sacrificing efficiency.
“Having a small security budget can create challenges as the security team will be smaller and the number of security products will be greatly decreased,” says Jason Kent, CTO at security consulting company AsTech. “If all the security budget is allocated to security staffing, the tools and ongoing training will be greatly diminished. If spending is too heavily focused on products, the team will have untrained drivers and decrease the overall impact of the security program.”
So what do you do when the budget you have at your disposal is tight, or worse, really isn’t enough?
"If all the security budget is allocated to security staffing, the tools and ongoing training will be greatly diminished"
Money on My Mind
As Dr Jessica Barker, co-founder of Redacted Firm and ClubCISO board member, tells Infosecurity, a small budget can have a big impact on the mindset of a security leader, affecting their confidence and perceptions about the options available to them.
“The main difficulty is knowing where to spend your limited resources and not feeling daunted that this is an impossible problem,” she says. “I think having a small budget can also feel undermining, because it could feel as if you do not have access to the tools that you need. Even in a large organization which has healthier budgets elsewhere in the business, if security is given a small budget, this can also send a message that security is not prioritized or valued.”
Serge Borso, adjunct instructor at SecureSet, a Denver-based immersive, accelerated cybersecurity academy, agrees: “A lack of budget can have a profound impact on the confidence of leadership and that can translate to lower morale in the security team. Making a purchase to protect the enterprise, or hiring the right person for the job, requires budget. Without the funds to make these expenditures, security leaders naturally have diminished confidence in their efforts to secure the enterprise and ultimately do their job.”
What’s clear is that a tight budget can create a great deal of concern for security leaders about their ability to reach the security maturity they want. As Raef Meeuwisse, ISACA governance expert & author of Cybersecurity for Beginners, points out however, most practical issues actually arise not due to a lack of budget, but because budgets are frequently pointed at the wrong initiatives.
"A lack of budget can have a profound impact on the confidence of leadership and that can translate to lower morale in the security team"
Money, Money, Money
For example, it is easy to be locked into a cycle where the money is being absorbed by reactive responses to security incidents, he explains.
“A small organization can find itself with a very vulnerable network, constantly chasing down infections, isolating and rebuilding devices. They find it difficult to step back from the situation to learn about what they should be doing and then to invest in re-building a more efficient and secure environment.”
Likewise, with data breaches becoming so common and liabilities spreading quickly, there has been a noticeable uptake in companies outlaying their money on cyber-insurance to support them should the worst happen. However, as Steve Durbin, managing director of the Information Security Forum, tells Infosecurity, though this type of investment has become a practical choice for a growing range of organizations and industry sectors, it would be a mistake to view it as a replacement for sound cybersecurity and cyber-resilience practices.
“On the contrary,” he continues, “well-resourced and industry and standards compliant practices can oftentimes positively reduce the associated premiums for cyber-insurance.”
There’s also the fact that the cybersecurity product market is a saturated one, Meeuwisse adds, and “it is often the products with the highest marketing budget or highest profile that get purchased, but those products are frequently far from being the most effective places to spend the money. I frequently see enterprises locked into multi-year deals for ineffective security products and services – and unable to justify migrating or implementing what they really need.”
On a similar note, with the candidate pool for proficient security professionals already limited, attracting and retaining the right people who want to work on mission critical projects can be made harder when there is limited budget for security endeavors, Borso says.
There’s certainly a lot to consider when it comes to spending a budget. No security leader wants the feeling that their security is shackled by any means, least of all money. However, as Scott Petry, CEO and co-founder of Authentic8 explains, any notion that effective security is not achievable without big bucks is simply that, a notion.
I Need a Dollar?
“You don’t need a massive budget or the latest whiz-bang tech to manage a secure environment,” Petry says. “The challenge is to balance what’s at risk with countermeasures to protect those assets.”
Borso echoes similar sentiments, explaining that it all comes down to prioritization and, while this is going to be specific to each business, one constant to focus on is organizational risk tolerance. “Prioritize spending to help secure the most vulnerable, highest risk assets,” he advises.
If that organizational risk is a legacy network model, then Meeuwisse’s guidance is to ditch it and move to individually resilient devices and services, as he did in his own small company. He now operates a zero-trust network that uses cloud services, all devices have powershell disabled, run with a restricted whitelist of applications and have orchestrated AI anti-malware – and he’s saved money along the way!
“Two years ago I binned the legacy network that had cost me a five-figure sum to implement and replaced it with something that is not only more resilient but also cost me less than 20% of its predecessor,” he says. “Great security can both boost productivity and turn out to be cheaper than living with network models that are no longer fit for the modern cyber-threat landscape.”
For some organizations, the greatest risk will be lack of user awareness, and so dedicating a significant budget portion to employee training will be more cost-effective than the latest piece of shiny, expensive kit.
“There is no shortage of open-source solutions that do an excellent job; the trick is to have a well-educated, proficient, motivated team that has the ability to architect solutions and implement them to 100%,” Borso argues.
Conversely, if it is a vulnerability management solution you’re after, they’re not cheap, so there’s value to be found in investing in services that are managed externally and create curated actions, advises Kent. That allows for a smaller budget to derive the most worth, particularly if internal resources are lacking.
“Similarly, network monitoring doesn’t have to mean building out and staffing up a SOC. There are great virtual SOC options out there that also manage their products. This makes for a high value proposition in that products, practitioners, maintenance, implementation etc. are all taken care of and only engaged when needed,” he says.
Other low-budget strategies include “banding together with peers to get more purchasing power and acting as reference customers to get larger discounts on security products,” adds Wendy Nather, director, Advisory CISOs, Duo Security.
"Don’t let the market tell you that you need to spend a lot of money for good security – you don’t.”
It all comes down to taking “an attacker’s eye view of your organization,” explains Dr Barker, establishing what information you have and how somebody malicious could benefit from it.
“Getting different people from the business involved in this conversation is really valuable, from people who ‘own’ the information to anyone in the organization with legal and PR expertise.”
That’s not to say that you solely have to look within though, Dr Barker adds, as cybersecurity professionals and organizations gain and share their knowledge and guidance via Twitter, conference presentations and blog posts, “which is really beneficial for organizations with lower budgets.”
Petry puts it simply: “don’t let the market tell you that you need to spend a lot of money for good security – you don’t.”
Mo Money, Mo Problems
In fact, far from being an inhibitor to good security, with the correct approach Barker believes a smaller budget can actually help companies make their security posture more effective.
“Having a restricted budget can lead to creativity and even to the security team being more in-touch with their threat model and the organization as a whole,” she explains. “When you have a smaller budget, you have to be very considered with how you are spending it. This can lead to teams doing more analysis or research, rather than simply relying on throwing money at the problem.”
However, Nather argues that there should be more, and better, support in place to help companies get that right. “The closest we can come is prescriptive compliance standards such as PCI-DSS, but they don’t cover all risk cases,” she tells Infosecurity. “We need to provide expertise, skills and influence to help those with low budgets even if we don’t directly offer them money.”
Meeuwisse agrees, suggesting there have been [for example] some government mandates pushing costly, low-value security options where the same budget could have been more effectively deployed. “I made the case in January 2017 that in place of mandating DMARC for email across UK government services, the UK government should have purchased a state license for some AI anti-malware. Had they taken that advice, they would not have had the NHS WannaCry crisis in May of that same year.”
You don’t need to break the bank to build and implement effective security, but you do need to invest time and energy in establishing what your most valuable assets, and your greatest threats, are. Knowing what you have, who’s using it and how it’s configured doesn’t cost anything, but it does set you a long way along the path to establishing what your best, most cohesive security plan needs to be.