4 steps to spending your cyber budget wisely

Focus on the business“Many organisations make the mistake of allocating security budget based on something other than risk to the organisation,” says Jim Doggett, CISO at Semperis. “Too many discover a new, ‘shiny’ tool and find a reason to implement it – without significantly reducing risk.”The smart allocation of security budget is not about point solutions or the latest technological innovations, but about identifying risk and reducing it.“You must prioritise which systems your business relies upon and cannot do without even for a short amount of time,” says Joseph Carson, chief security scientist and advisory CISO at Delinea.“You must also perform a risk assessment on the most likely hacker techniques that will target your business and sometimes this can be done via a penetration test or purple team activity to help identify the most likely attack path. This will help you prioritise security solutions that will minimise those risks.”Avoid common mistakesCommon errors include protecting individual systems rather than thinking about the services those systems provide and how they support the business. “Consider a business service design and ensure that even the small systems that are part of the service are well protected, as those are the systems that tend to be overlooked,” suggests Carson.Short-term fixes are another frequent trap as these simply add to your technical debt and result in point solutions that have short lives but large costs.“Often, there are different silos of organisations using various tools for different purposes, and those tools don’t always work or talk well with one another,” explains Daniela Streng, VP sales EMEA for Invicti. “Additionally, sometimes different parts of organisations are using different tools for the same purpose without even realising it! It’s important for organisations to centralise and simplify their security testing with fewer, more robust tools.”Spend in the right placesOften it’s not a matter of spending your budget in the right places but ensuring you don’t spend it in the wrong ones.“Organisations often allocate money to acquire security tools but fail to budget for the processes that they’ll need to implement and the people they’ll need to manage,” warns Doggett. “Getting a return on such investments is difficult, and the projects tend to take much longer than planned.”Also, the wrong solution can actually cost you money. Something that produces large quantities of false positives is going to tie up valuable staff and resources, says Streng.“Whenever a false positive scan result needs to be investigated by a security engineer, penetration tester, or application developer, the result of that investigation is only as good as that person’s skill, experience, and patience,” she says. “A large number of false positives forces developers to waste precious time checking their source code for non-existent defects, and ultimately, skip these troublesome security checks.”When in doubt, organisations may be tempted to chase the latest security technologies in the belief that they must be better, without properly matching them to their actual needs.Measure the effectWhen the money has been spent, the next step is to see if it’s working. Not suffering a breach is no guarantee you’re doing the right thing.However, according to Brian Martin, head of product, strategy and innovation at Integrity360: “If you are investing in security appropriately, you will know if it is being effective. You will be tracking your security metrics to help determine if the investments are delivering value. Visibility and control are a key aspect of cybersecurity, so if you are flying blind and hoping for the best, it’s likely that you are either very lucky, or more likely, you have been breached and you are not yet even aware of it.”Above all, bear in mind that security involves a mix of technology and people.“To start, take a full audit of your tools, and get feedback from your end users,” says Streng. “It is important to focus on having solutions that enable your team to do their best work.”Text by Steve Mansfield-Devine

4 steps to spending your cyber budget wisely

4 steps to spending your cyber budget wisely

Related content

Sophos Announce Agreement to Acquire Secureworks

Onwards and Upwards – The CISO Role is Evolving

Rapid7 Announce Intent to Acquire Noetic Cyber

CISOs Acknowledge Business Friction with Leaders

#infosec24: Three Days of Learning, Advancement and New Names

Everfox in Definitive Agreement to Acquire Garrison Technology

#AWSreInforce Establish Security Culture to Sustain Your Business

Upcoming Events

Securing Data in the Cloud: Advanced Strategies for Cloud Application Security

4 steps to spending your cyber budget wisely

4 steps to spending your cyber budget wisely

Related content

Sophos Announce Agreement to Acquire Secureworks

Onwards and Upwards – The CISO Role is Evolving

Rapid7 Announce Intent to Acquire Noetic Cyber

CISOs Acknowledge Business Friction with Leaders

#infosec24: Three Days of Learning, Advancement and New Names

Everfox in Definitive Agreement to Acquire Garrison Technology

#AWSreInforce Establish Security Culture to Sustain Your Business

Upcoming Events

Securing Data in the Cloud: Advanced Strategies for Cloud Application Security

Confirm cancellation

Sign up benefits