This post was originally written and posted on StaySafeOnline by Max Emelianov on March 13, 2019.
I’m going to start this piece off with a statement that you may find a little controversial: it doesn’t matter how much you spend on cybersecurity.
Before you bounce from the page, allow me to explain. How much you spend matters very little. It’s how you spend it that makes a real difference.
Too often, I see businesses throwing away money on point solutions that they ultimately never use. I see them implement new technology but fail to leverage its full potential. I see them invest in protecting areas that don’t represent a risk to their data while ignoring areas that do.
“A lot of [cybersecurity technology] gets acquired and is not leveraged,” explains Tom Parker, Managing Director of Accenture Security. “A lot of the time it’s about having organizations understanding the value of what they have already invested in…It’s easy for us in this industry to say ‘sure you need more budget and give us more money,’ but the reality is the conversation you want to have is not about how much money you have to spend, but how to spend smart money on the problem.”
So, how do you spend smart on cybersecurity? How do you ensure your investments aren’t just wasted capital and the time and resources you expend actually protect what needs to be protected? It all starts with understanding your organization.
Know Your Infrastructure
What devices do your employees most frequently use in the workplace? What mobile devices are present in your organization and how do your employees use those devices? What endpoints exist both inside and outside of your office?
How does data flow between all these endpoints? What are your most sensitive files – what does your business need to protect above all else and why? Where are those files stored and who has access to them?
Last but certainly not least, what apps are critical to employee workflows and what potential security risks do they pose?
These are all questions you need to answer before you can form even a partial understanding of where and how to invest your security budget. But this isn’t the only information you need to know. It’s also critical that you understand the threat landscape facing your business and that you incorporate some form of threat intelligence solution.
Incorporate Threat Intelligence
As you’ve probably surmised, threat intelligence should probably be one of your first investments. Threat intelligence is a way to monitor, analyze and respond to the cyber threats facing your business. Equipped with an understanding of what it is you need to protect, you can implement systems that allow you to keep track of those assets. How advanced you want these systems to be is entirely up to you.
On the one hand, you might settle for network monitoring systems that alert your administrators whenever suspicious behavior occurs. On the other, you might employ advanced processes, tools and techniques such as machine learning, data analytics and Security Information and Event Management (SIEM) platforms. If you have the budget and the expertise to do so, there’s no harm in employing such tactics.
Make sure you’ve spent the necessary time and money on establishing a good foundation first.
Put Good Processes in Place
You should harden your systems. You should use firewalls and anti-malware software. That’s all table stakes – it’s basic stuff you’re probably doing already.
Ultimately, it’s not your hardware or application infrastructure that’s your weakest link. It’s your people. A good chunk of your cybersecurity budget should, therefore, go to staff education and awareness. You should have clear-cut policies and processes in place for handling everything from data access to a ransomware attack; and every employee should be aware of them.
Speak to A Cybersecurity Specialist
When in doubt, it’s almost always worthwhile to bring in a third-party specialist. They can help you locate weaknesses in your security posture, recommend point solutions that fit your specific use case and perform penetration tests on your existing security systems.
Remember That Cybersecurity is Not a “One and Done” Project
Last but certainly not least, the most important thing to remember about your cybersecurity budget is that you should treat it as something organic. Securing your business isn’t something you can ever really close the book on. You’re going to need to adapt how and where you spend your money based on how your business grows and the threat landscape evolves.
Otherwise, it doesn’t matter where you spend the money – you’ll eventually be spending it in all the wrong places.