In all businesses, whether they are struggling or not, there are times when the money you have does not cover what you need to spend it on. In most organisations, any time you are trying to manage the security budget is one of these times.
Good cyber security is a matter of getting the best bang for your buck. In many companies this focus is lost—management thinks more about buying the latest new toys. Instead, budget should be focused on two things: business risk, and business need. There is nothing more critical to the long-term health of the company than getting the business return needed to create resilience.
In most cases, investing in business cyber security is a matter of changing the internal focus from operations security controls (we need a firewall) to business-centric management (what is the best way to install and manage the firewall). Good business-centric management involves taking the long-term view and investing in business need, not flashy gadgets. A huge problem that organisations face is the attitude “invest in this shiny new (insert technology here), and your protection is complete.” We see it everywhere: The sales hype from every vendor that you can think about suggests your business can’t survive without their latest. The problem is that there is no silver bullet, no single cyber-crime prevention process that will deliver the nirvana of business protection.
Cyber security is made up of lots and lots of small wins: Getting each little piece in place, applying management and compliance to that component, then moving on to the next component. For instance, just look at the requirements for keeping an input device secure. It doesn’t matter if it is a computer, a tablet, a phone, a server or a cloud-based system— the same principles apply. You need an operating system, you should have the newest version available, it should be kept current with patches and updates, and it should be provided with some sort of malware protection. Apart from the initial purchase of the operating system, these components are all inexpensive and easy to manage. Once you know what needs to be done, the best way to do it is to put a management process or procedure around the system. This then adds to your compliance requirements.
Another area of great return is training and awareness. Train your staff and users in the proper ways of looking at cyber-crime, and the flow-on effect is quite astounding. You are no longer in a situation where anything can happen; you are now in a situation of more control. The internal situation changes because everyone on the inside is looking out for those issues that only you used to focus on. By teaching your users about complicated passwords, why you need them and how to create them, you are already on the way to better protection within your organisation.
Of course, passwords are just the beginning. You can go on to teach your employees about malware, email, or the other 2500 subjects that will make your organisation more secure. Most people are way too trusting; they believe everything that they are told and take everything digital as being written by God himself. The cyber criminals have done a really good sales job on everyone who enters the digital world. People believe it’s okay to click on or download anything they’re remotely curious about, and that their antivirus software will protect them. This is very dangerous, and part of your security spend should be focused on changing this thinking. Once they’ve been taught, you then have to make sure that they do not forget. You can achieve this through games, posters and additional awareness training. But just like with bathing, you have to do it regularly.
There are other areas (high end spend on technology or an in-depth internal compliance audit) where the initial spend has the best ROI for the organisation. Little wins allow you to build up a base of protection that you can then build upon further. The next budget can be used to increase or replace that front-facing internet system, upgrade to a more secure wireless connection, or acquire a better intrusion detection system.
If your security budget is limited (and whose isn’t?), it’s essential that you focus on processes, procedures and training, and that you spend on the most necessary areas rather than the most glamorous ones. By doing this, you will end up with a balanced security framework around your business—one that has the correct technology in place, is adaptable to change, and even complies with all of those pesky regulations. And that’s a lot more important than owning the latest shiny widget.