Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

How can CISOs balance fluctuating budgets as the threats advance in volume, complexity and impact? 

Lawrence Munro, CISO at NCC Group - A CISO's Perspective

01 maart 2023

door NCC Group

It is fair to predict that this year will be a financially challenging one for many organisations. As is often the way in times of economic difficulty, budgets will be reviewed across the board, and could face  cuts.

Set against this backdrop, the cost of a cyber attack is rocketing: IBM Security’s The Cost of a Data Breach report found the global average cost of a data breach reached $4.35m in 2022. At the same time, threats are becoming more complex and frequent in nature.

Clearly, cyber security is a non-negotiable for any organisation. What is up for discussion, however, is how to invest in their security posture, to ensure the investment meets its needs and provides a ‘strong enough’ level of protection against risk. And if budgets are being reviewed by the board, CISOs have an important role to play in guiding these discussions.

 

With this in mind....

  • How can CISOs ensure that cyber security remains a spending priority?
  • How do you ensure no gaps in your protection at a time when budgets remain static, if not reduced?
  • And where should you focus your spend?

First, understand your organisation’s evolving risk appetite.

If your exposure has shifted - whether due to external market forces, or internal changes - it is likely risk appetite has shifted too.

New or updated regulation and legislation is being introduced at a rate of knots, and this can impact risk appetite.

  • Do your current controls meet all mandatory requirements?
  • Are you possibly overspending to meet certain frameworks or guidance?
  • Could your spend be better used for other controls?

Reputational risks also influence appetite. As we know, breaches can be financially costly, and reputationally so, too. Ensuring your security set-up has the right spend behind it to protect against or mitigate the fall out of an attack will be important if reputational damage is a key concern for your organisation.

Collaboration with peers, clients and even competitors is vital to understand shifting risk appetite and priorities that affect budgets. How an attack impacts your financial teams, is very different to how it will impact HR departments. So addressing individual team concerns and demonstrating how your organisation’s cyber security budget affects this, is important.

Increasingly though, there is a need to go beyond talking about cyber security solely in the language of breaches or reputational damage. A 2022 report from Forrester, CISOs’ Tactics To Win Every Budget Battlediscussed the need to factor in cybersecurity costs when calculating cost of sale (CoS) and cost of goods sold (CoGS); reviewing controls by ‘costs per customer’, the return on insurance policy coverage and costs per regulation, could aid Board-level budget discussions.

Don’t ‘over’ insure to mitigate risk.  Though insurance is a key tool in the arsenal to mitigate the impact of an attack, it should not be seen as a risk transfer strategy. With your premiums adjusted according to your risk profile, there’s a danger that some organisations may seek to ‘over’ insure, rather than putting the controls in place to prevent attack. Instead, take a balanced approach, where cyber insurance complements your security architecture, that helps to mitigate the immediate and long-term costs you could face in the event of a breach.

Making sure the tools you have at your disposal work smarter, rather than investing in a number of different solutions, should be a key focus for CISOs too. Undertake a detailed review of your control requirements, contracts and licenses. Is there overlap, where you have multiple licenses for the same type of solution - and can you opt to use the services from one provider, if so? Are there other solutions available that would better work together than your current tools, and provide more holistic protection?

Managing suppliers, as well as receiving increased focus from a regulatory perspective, could also be a route to mitigating costs. Think about how you can leverage inhouse expertise, educate and upskill, to strengthen your controls alongside supplier support, too. It will only elevate your security posture.

The stability of your supply chain and their vulnerability to attack is another aspect of managing suppliers; procurement due diligence often demands these checks, but increasingly, ongoing monitoring will be needed. Do they have vulnerability disclosure programmes you can review? Can you access its software bill of materials (SBOM), which details the patch statuses, versions, licenses and components present in its codebase? Consider this in budget discussions, as internal resource or third parties, such as software escrow services, may be needed to support recovery, just as it would if your organisation was the intended target of attack.

Never compromise your businesses risk. But in the face of economic difficulties, look to  take a more pragmatic approach - whether this relates to risk appetite, insurance, tools or suppliers.

Want to know more?

Read the full magzine.