How to Effectively Spend Information Security Budget

Written by

Infosecurity Magazine asked three infosecurity experts how to most effectively spend information security budget. This is what they said: 

Kyle F. Kennedy - CISO, CyberSN & President,

“How do I spend my information security budget effectively?” is a question many security and business leaders are exploring. Can a security leader become clairvoyant and develop a security budget that protects their organization without knowing where or when the next attack may unfold? Yes, and here’s how:

1 - Speak business and board language
Understanding how your business makes money is critical to developing your security budget. Seems simple; however, many of my colleagues have strained relationships with business leaders within their respective organizations. Understanding your organization’s revenue streams is critical to understanding ‘what needs to be protected’ from a cybersecurity perspective.

As a security leader, you must map your budget and projects into protecting your revenue streams and creating new ones. If you can’t map a project or spend into these concepts, it’s not worth doing.

2 - Security frameworks help create empirical conversations
Security frameworks are growing in importance as security leaders recognize that using compliance as the main way to sell security spend to executives across the enterprise is based more on emotion as opposed to real empirical data that supports the story. The elimination of emotion from the conversation and deploying an empirical approach to an information security budget is critical for success.

3 - Expand your security budget to a business security budget
To reprioritize security budgets, security leaders must become entrenched in all aspects of business processes and understand their business’s revenue life-cycle and how that interacts with the life-cycle of cyber-attacks.

Cyber-attacks come in five stages: research, infiltration, discovery, capture and exfiltration of information. Business leaders – including the security leader – need to consider all five before deciding where to invest funds. As an industry, we spend a lot of time talking about the individual actors involved in a cyber-attack, however, the true focus should be on the fact that ALL of these actors are participating in a highly lucrative marketplace.

The reality is attackers will eventually get in and yet most security leaders spend the majority of their budget trying to stop the attacker from getting in as opposed to investing in other stages of the attack life-cycle.

Shifting investments to gain intelligence from systems, and people to detect and interpret malicious activity and abnormal business patterns would increase organizational awareness around what things are getting in, thus preventing successful attacks. Knowing the abnormal from the normal before exfiltration of information keeps your organization in business and that is the type of security budget the business and the board will invest in every year.

Marnix Dekker, IT Security Directorate, European Commission

Let's start with a recent cybersecurity news story: The FBI had to go to great lengths to get access to the smartphone of the San Bernardino killer. This man was not an IT expert and did not have a large corporate IT department supporting him either. His smartphone was delivered secure out-of-the-box, without spending any extra money on security products.

Built-in security is not only a trend in the consumer market: When a company buys a set of virtual machines from a public cloud provider, usually a variety of security features are included already: a DMZ, web application firewalls etc. So there is no golden rule for IT security spending, but there are some trends and rules of thumb.

In the last few years even the cyber-attacks of 'ordinary' cyber-criminals have become targeted and advanced, penetrating the basic defenses (anti-virus, firewalls) ignoring all the compliance checklists and paperwork. The credo nowadays is "assume you are breached". So it is paramount to have a good last line of defense: a security operations team, performing monitoring, detection and response. It is fair to say that many organizations have some catching up to do in this area. Most organizations have focused their spending in the past on compliance (paperwork) and fending off basic boiler-plate attacks (anti-virus, firewalls).

The costs of a reactive capability can be steep. Especially at the start when expensive tools need to be installed and fine-tuned. In larger organizations there are endless logs to sift through and endless suspicious events and correlations to analyze. Staffing the team can be hard and expensive as experts are scarce and incidents can take up a lot of resources just in terms of recovery. This means that in IT security operations there is a strong focus on tooling and automation: It is often said that the best security teams are small teams of highly skilled experts using highly automated sets of detection and intervention tools.

For a good balance between preventive measures and reactive measures across an organization it is important to look at best practices, to understand where improvements are most effective in reducing the risks. For example, SANS publishes a prioritized top 20 list of controls. Often legacy technology is harder to keep secure than modern technology. The best idea is to follow the incidents. If an organization has no incidents with mobile devices, but keeps getting incidents on legacy PCs, then it makes little sense to spend significantly on mobile device security.

Finally, it is good to periodically review the existing measures in place, and see if they are still worthwhile, to analyze their return-of-investment. Mature organizations build various layers of defense (defense-in-depth). Over time, with the changing tactics of attackers and the changes in IT usages, certain security measures may become outdated. Many organizations, upon adoption of mobile working methods, need to switch from traditional corporate perimeter-based defenses to defenses implemented at the endpoints.

Andrew Rose, CISO & Head of Information Security, NATS

Perhaps surprisingly, I believe that spending the information security budget is one of the toughest challenges facing CISOs in the current environment. Here’s why:

•    Vendor obfuscation: We’ve all heard about the security product that ‘fixes all your problems’, but when you dig down it’s just a point solution. Vendors sell complex solutions to complex issues and they make promises their products often can’t deliver, so you never quite know what you are buying.

•    Consequence of purchase: There are unstated implications of any product purchase. Once you acquire a particular product, which paths are closed to you? How far can you upgrade this technology until it can’t meet your needs? How many staff do you need to operate this solution?

•    Choice overload: Each security vendor has a suite of products, and they all overlap. In addition, the security marketplace is so buoyant that non-security vendors are moving in too. You are now overwhelmed with choice. For example, need a vulnerability management solution? Do you buy the add-on for your anti-malware tool, your desktop management tool, your remote access tool, or buy a new tool altogether?

•    Straying ‘out of the box’: Vendors will bend over backwards to reconfigure their product to keep your business, and keep you out of the hands of their competitors, but at what stage have you twisted the product beyond its core capability and need to buy a different solution, with all the additional associated cost?

•    Unclear value proposition: The lack of clarity about a solution, the overwhelming number of alternatives, the long tail of consequences of the purchase, and the option to ‘make do and mend’ – using people and process instead of technology – mean that assessing value for money becomes an almost impossible task. It is like opening the box to a 100-piece jigsaw puzzle and finding that you actually have 4000 pieces, each individually priced, each defining a subsequent progression path, and none of them really fitting together properly.

So, they are the complications, but how should you spend infosec budget?
•    ‘Best of breed’ is dead: No solution is 100% so don’t go looking for it. Go with what works for you and build upon your existing infrastructure and investments.

•    Find unused features: What are you paying for that you are not using? Did you know that your anti-malware license also has DLP included if you install the latest version? Meet with your key vendors and get them to tell you how to maximize the value from their technology.

•    Upgrade licenses and versions: Without the need for new kit and reinstalls, what functionality can you get from just upgrading licenses and versions? What discounts can you get for customer loyalty?

•    Identify the big gaps: After expanding the current tools, where are the other gaps you have? Do they need specific solutions that can be met by your partnered vendors? Don’t discount open source solutions for specific needs.
Overall, seek value and partnerships. Find vendors you can trust and expand their coverage, that way integration issues become their problem not yours, and each asset should become increasingly discounted.

What’s hot on Infosecurity Magazine?