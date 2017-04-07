Infosecurity Magazine asked three infosecurity experts how to most effectively spend information security budget. This is what they said: Kyle F. Kennedy - CISO, CyberSN & President, brainbabe.org

“How do I spend my information security budget effectively?” is a question many security and business leaders are exploring. Can a security leader become clairvoyant and develop a security budget that protects their organization without knowing where or when the next attack may unfold? Yes, and here’s how:

1 - Speak business and board language

Understanding how your business makes money is critical to developing your security budget. Seems simple; however, many of my colleagues have strained relationships with business leaders within their respective organizations. Understanding your organization’s revenue streams is critical to understanding ‘what needs to be protected’ from a cybersecurity perspective. As a security leader, you must map your budget and projects into protecting your revenue streams and creating new ones. If you can’t map a project or spend into these concepts, it’s not worth doing. 2 - Security frameworks help create empirical conversations

Security frameworks are growing in importance as security leaders recognize that using compliance as the main way to sell security spend to executives across the enterprise is based more on emotion as opposed to real empirical data that supports the story. The elimination of emotion from the conversation and deploying an empirical approach to an information security budget is critical for success.

3 - Expand your security budget to a business security budget

To reprioritize security budgets, security leaders must become entrenched in all aspects of business processes and understand their business’s revenue life-cycle and how that interacts with the life-cycle of cyber-attacks. Cyber-attacks come in five stages: research, infiltration, discovery, capture and exfiltration of information. Business leaders – including the security leader – need to consider all five before deciding where to invest funds. As an industry, we spend a lot of time talking about the individual actors involved in a cyber-attack, however, the true focus should be on the fact that ALL of these actors are participating in a highly lucrative marketplace. The reality is attackers will eventually get in and yet most security leaders spend the majority of their budget trying to stop the attacker from getting in as opposed to investing in other stages of the attack life-cycle. Shifting investments to gain intelligence from systems, and people to detect and interpret malicious activity and abnormal business patterns would increase organizational awareness around what things are getting in, thus preventing successful attacks. Knowing the abnormal from the normal before exfiltration of information keeps your organization in business and that is the type of security budget the business and the board will invest in every year.

Marnix Dekker, IT Security Directorate, European Commission Let's start with a recent cybersecurity news story: The FBI had to go to great lengths to get access to the smartphone of the San Bernardino killer. This man was not an IT expert and did not have a large corporate IT department supporting him either. His smartphone was delivered secure out-of-the-box, without spending any extra money on security products. Built-in security is not only a trend in the consumer market: When a company buys a set of virtual machines from a public cloud provider, usually a variety of security features are included already: a DMZ, web application firewalls etc. So there is no golden rule for IT security spending, but there are some trends and rules of thumb. In the last few years even the cyber-attacks of 'ordinary' cyber-criminals have become targeted and advanced, penetrating the basic defenses (anti-virus, firewalls) ignoring all the compliance checklists and paperwork. The credo nowadays is "assume you are breached". So it is paramount to have a good last line of defense: a security operations team, performing monitoring, detection and response. It is fair to say that many organizations have some catching up to do in this area. Most organizations have focused their spending in the past on compliance (paperwork) and fending off basic boiler-plate attacks (anti-virus, firewalls). The costs of a reactive capability can be steep. Especially at the start when expensive tools need to be installed and fine-tuned. In larger organizations there are endless logs to sift through and endless suspicious events and correlations to analyze. Staffing the team can be hard and expensive as experts are scarce and incidents can take up a lot of resources just in terms of recovery. This means that in IT security operations there is a strong focus on tooling and automation: It is often said that the best security teams are small teams of highly skilled experts using highly automated sets of detection and intervention tools. For a good balance between preventive measures and reactive measures across an organization it is important to look at best practices, to understand where improvements are most effective in reducing the risks. For example, SANS publishes a prioritized top 20 list of controls. Often legacy technology is harder to keep secure than modern technology. The best idea is to follow the incidents. If an organization has no incidents with mobile devices, but keeps getting incidents on legacy PCs, then it makes little sense to spend significantly on mobile device security. Finally, it is good to periodically review the existing measures in place, and see if they are still worthwhile, to analyze their return-of-investment. Mature organizations build various layers of defense (defense-in-depth). Over time, with the changing tactics of attackers and the changes in IT usages, certain security measures may become outdated. Many organizations, upon adoption of mobile working methods, need to switch from traditional corporate perimeter-based defenses to defenses implemented at the endpoints.