The year 2020 has seen a lot of unexpected developments, to say the least. Together with the changes wrought by COVID-19, one of the challenges this year has been a notable increase in our security needs. Despite this, security budgets remain tighter than ever.
So, how do you reduce your security risk with tightened budgets? Here are some tips on how to bring together the distinct viewpoints of CISOs and the C-suite to get more out of your 2021 budget.
Adapting to the Sudden Changes of COVID-19
This year, we saw about two years of digital transformation happening in a two month period, as companies quickly shifted focus. Historically, we were looking at firewall-type defenses, with employees coming into the office or using VPNs.
Overnight, we were supporting everyone at home and balancing productivity with security, and it was the companies that adopted zero-trust architecture with split-tunnel VPNs that were most successful at getting employees to a place of productivity.
These shifts may have created a gap with the C-suite, which tends to look at things from a different perspective. The language used by the C-suite often centers around the technology roadmap – for example, implementation of Identity and Access Management (IAM), Endpoint Detection and Response (EDR), and Data Loss Prevention (DLP). Due to COVID-19, last year’s roadmaps are now obsolete – particularly since much of last year’s focus was connected to GDPR.
Understanding Spend from a Risk Perspective
The C-suite is asking for a way to understand risk that can be measured. More specifically, the C-suite wants to pin down risk much like an insurance company: by understanding loss events, and mitigating as much of the risk as possible through technology, process and training – then potentially purchasing an insurance policy for the residual risk.
To do this, CISOs must identify which loss events are most relevant and work to mitigate the associated risk. Adopting an approach that is scenario based is key: Organizations identity the risks associated with a top loss event, evaluate the possible approaches an attacker might use – and identify the prevention, detection, and response strategies most prudent to reach a level of “acceptable loss.”
This kind of scenario-based approach facilitates the business-oriented prioritization of investment in detection and response that the board needs. As CISOs, a scenario-based approach is invaluable because, at the end of the day, the C-suite may allocate more if they can see value in terms of risk reduction that can be accurately explained.
Approaching Cybersecurity as “Disaster Recovery”
Security operations are continuously becoming more complex. An increasing number of devices means the attack surface is expanding. Employees and third parties are working remotely, while applications are moving from the data center to public clouds. The number of sources like EDR or UEBA is increasing, and the number of alerts has been growing exponentially.
CISOs see the strain this puts on security teams, but are pressed by a talent shortage that inhibits team expansion. This conundrum compels organizations to work toward automating processes, reducing reliance on security analysts – particularly for repetitive, high-volume tasks.
In parallel, a need to align security operations to IT processes creates a push to adopt greater orchestration – and drive further efficiencies. These trends drive demand for next-generation managed security providers as they are better equipped to deploy and manage automation, orchestration, advanced analytics, proactive threat detection, and threat hunting solutions.
As part of these processes, security operations can develop automated use cases that leverage frameworks such as MITRE ATT@CK (Attacker Tactics, Techniques, and Common Knowledge) – which addresses security from a risk perspective (as outlined in this useful SANS MITRE report) and helps create a smarter Security Operations Center (SOC).
Making the CISO Budget Work
For CISOs, a primary concern involves ensuring the C-suite understands what gaps exist – and the risk they pose. Everything must be put into context.
CISOs need to speak the language of risk, loss events, and attack scenarios and to understand the organization’s risk appetite, i.e., aligning risk to corporate strategy. We can check alignment using the following questions:
- Do we want to be better than, at par, or less concerned about risk than our competition?
- Are we currently ahead of, at par, or behind our competition?
- What are the new security risks (loss events)? How should they impact us?
- Is cybersecurity important to our brand value proposition?
- For key loss events, what is considered “acceptable loss” – and what are our goals in 6, 12 and 18 months?
Align with Your Business Objectives
Question: When requesting a budget, are you aligning with the business goals of the company? CISOs can develop a more integrated ecosystem for cyber security by working closely with the C-suite and other business critical groups.
Discussions need to center around issues like: What’s your organization’s risk appetite? Where will investments have the biggest impact? How do you get more value from existing investments?
It’s essential that CISOs explain how the team is addressing gaps in the existing security ecosystem – and ensure everyone in the organization understands how each cybersecurity team member is connected to the organization’s goals and delivers on its value proposition.