By Eldon Sprickerhoff, Founder and Chief Innovation Officer, eSentire
When you do take your chances in a casino, it’s called gambling; when you do it in the boardroom, it’s called speculation. Regardless of where you like to take your chances, the one place you most definitely don’t want to place a risky bet is on your cybersecurity budget. As near-daily news headlines will tell you, the consequences of a data breach can be catastrophic and far-reaching, resulting in steep fines, severe regulatory penalties, damaged reputations and client loss.
Most companies don’t have endless resources to spend on securing their network, so it pays to maximize the budget you do have. Deciding how much to set aside (and for what purpose) can be a game of chance unless you have a sound strategy in place – it’s when you deviate from that plan that things can go wrong.
Cyber risk: your ace in the hole
The first step – and one of the most important – when it comes to maximizing your cybersecurity budget is to identify the most critical items using a risk-based approach. This ensures that you are optimizing your organization’s layers of defense for both risk reduction and cost by reviewing previous attacks and weighing potential future attack vectors. Specific “must-have” defense mechanisms should be prioritized (i.e., endpoint defense, multi-factor authentication and identification) ensuring that critical assets are highly protected.
Previously used defense programs and products should also be reviewed for efficacy and cost-saving purposes. For example, legacy products may be replaced for net cost/benefit, while checking to see if full capabilities can be fully employed. A risk-based approach tailored to the needs of the business itself will render the best results.
Other things to take into account include the size of your company, the type of data you collect, where your company and the bulk of your customers are located (for regulatory purposes), as well as what regulations apply to the data you collect and how attractive of a mark you are for external attackers, regardless of their intent.
“Set it and forget it” is not an option
The biggest mistake businesses make when building a cybersecurity budget is expecting any single “off-the-shelf” cybersecurity product, which once purchased and installed, will answer all of an organization’s cybersecurity concerns, both immediately and indefinitely going forward. It is critical that the efficacy of the entire security system be regularly tested and verified; “set it and forget it” is not an option.
Moreover, your cybersecurity budget shouldn’t simply consist of technical products, security services, or measures; it may be appropriate to include intangibles such as security awareness training and vendor security management. All too often, companies fail to take into account the ancillary costs that come in the wake of a cybersecurity event. When a serious event occurs, senior leadership will need to play a public-facing role – high-pressure interviews are not the time to practice one’s on-air media training skills.
Moreover, depending on the seriousness of a breach, you may find yourself needing to bring in outside help in the form of a public relations agency that specializes in crisis communications and legal firms with expertise in dealing with cybersecurity incidents, or even higher than anticipated fines and payouts to customers. It is best to have these external professionals chosen and prepared before an event occurs.
Measure twice, cut once
Once a baseline analysis has been performed, with an eye towards what new cyberattacks are probable in the coming year and the potential fallout from each, it’s time to reevaluate your budget. Because of the shifting nature of data privacy regulations, as well as any industry-specific regulations, it is strongly suggested that you review your budget annually.
If there are surprises that arise, they should be addressed during the next budget cycle. It also goes without saying that in the event your company experiences a cyber event, once the dust has settled, checking to see how your budget fared when faced with real and not theoretical costs is a good idea.
Increasingly, companies of all sizes are finding that it pays to utilize a Managed Detection and Response (MDR) solution. True MDR does more than detect threats – it takes a holistic approach and provides cost-effective, leading-edge protection against cyberattacks.
Unfortunately, all too many traditional security companies have jumped on the MDR bandwagon and simply rebranded themselves as providers of MDR services. When looking for an MDR provider, make sure they provide 24/7 services, comprehensive coverage that extends beyond the network, and take containment actions on your behalf.
Leveraging an MDR security solution that fits not only your budget, but your short- and long-term needs will go a long way to ensuring that the house always wins.
