Cybersecurity is an investment. This is a critical component for CIOs, CROs, CISOs, Managers, and employers alike to understand when it comes to budgeting for cyber preparedness and implementing the right changes at the right time. It can be difficult to prioritize expenses in the fast-paced, ever evolving world of corporate cybersecurity.

At a high level, the process for setting cybersecurity strategy has to start with a view into what the current state of risk looks like. Then we can assess what changes in control/risk posture would result from investments. Finally, we can derive what a future state may look like after an investment.  An executive summary should be your primary aid in getting the budget. It may have the following:

·       The vision of your business

·       The opportunity for growth of the business

·       The opportunity for something bad to happen (attack surface)

·       High level pictoral graphic of risks landscape

·       Estimate scope of deploying countermeasures

·       Timeline & urgency to execute

·       You budgetary ask

Let’s take a closer look at some recommendation’s security leaders can take to maximize their return on a security investment:

1.     Assess Risks, Assets, and Resources

The CISO or CIO should fully evaluate the systems, applications, data and critical business assets that could pose a significant risk to the organization. The evaluation needs to take place before the CISO steps foot in the C-suite room to support security. The findings of the evaluation will be introductory to the security programs goals and budget recommendations. Certain people, processes, and technology procured and the needs they serve will be distinctive to each business. The models provided by industry frameworks can assist security leaders shape priorities and identify gaps or vulnerabilities to their business.

2.     Identity and Access Management Strategy

The 2017 Verizon Data Breach Investigation Report found that 88% of hacking-related breaches leveraged stolen or weak passwords. It is important to approach security with IAM being a major subset of security with a unified strategy which includes a single set of controlling policies that apply to all systems, a single user identity, and a single set of parameters that control access and management. Recommend taking basic steps to ensure all doors are locked, this includes using multi-factor authentication, keeping systems patched and up to date, encrypting sensitive data, and securing privileged accounts. Implementing modern IAM tools helps minimize the attack surface and stops unauthorized access to critical systems. MFA can eliminate vulnerabilities from stolen or weak passwords across your critical infrastructure.

3.     Hire and Train Good People

It stands to reason that one of the best investments in a security program is an effective staff. In such a tight market for employers seeking these high-level personnel outside the organization, the organization may look internally and invest in training employees who otherwise might not have been considered a security career in order to save money. By training people that are already part of the organization and recruiting them to work in security, CISOs can offer opportunities for professional growth and build their security teams while taking advantage of the employee’s knowledge.

4.     Invest in Security Culture

An effective cybersecurity strategy must include a corporate culture in which every employee values and understands the importance of security. However, organization continue to struggle with establishing a security culture with majority of incidents occurring internally. This can be phishing emails, weak passwords, and sharing confidential or sensitive information outside of the organization. Building a security culture into business means getting all employees from the security team to the C-suite to feel invested in the company’s security and risk posture.

There is no simplistic answer to these complex questions on how to best distribute security budget dollars and it will vary from business to business. But the key for the organization is to start conducting a thorough maturity or risk assessment on the organization’s current security posture and culture, along with a very detailed evaluation on how implementing people, processes or technologies can benefit business goals and enable the company’s vision, giving the CISO a road map for how to spend and prioritize security investments.