Multiple studies have shown that the high cost of a cybercrime incident puts constraints on a cybersecurity budget. With a limited budget, what should be the top priorities for enterprise security after a cybercrime incident?
When a cybercrime incident occurs, a cybersecurity budget miraculously increases. Other dynamics also result in possible termination of the CISO and possibly the CIO but these are reactionary in nature. The question is where should the enterprise allocate funds to mitigate and prevent reoccurrence? What channels does the enterprise need to strengthen? Several studies, such as Ponemon Institute's 2015 Cost of CyberCrime: United States study and Kaspersky Lab's Damage Control: The Cost of Security Breaches report, have suggested the rise in cybersecurity costs by incidents require a reevaluation of where to focus spending.
The Ponemon study provided an infographic that states the solution to the cybersecurity budget issue is to focus on specific tasks to ward off attack threats, including:
- Reducing the number of attacks by establishing security governance and IPS/NGFWs;
- Resolving attacks quicker by using a robust SIEM; and
- Minimizing damages by strengthening application and data security with encryption and protection.
There are three basic mantras in information security that will help determine where to focus your cybersecurity spending: defense-in-depth, the principle of least privilege and information security business risk approach.
Defense-in-depth: The best control is prevention as close to the point of entry. It is foolish to believe you can leave the front door of your house less secure because you have stored your valuables in a tamper-proof safe hidden from sight. The fact is that the burglar is inside your home. You need the right level of security at different layers and to not rely on any one control. It's the same at your organization. Also, the levels of controls should be commensurate with the value of the asset needing protection.
Principle of least privilege: Access to critical assets should be on a need-to-know basis. This means access should by default be "deny all" and role-based access control should be implemented as required by job responsibilities and be properly approved by management. White listing, application functional security, change controls, segmentation and separation of duties aid in this effort.
Information security business risk approach: Protection should be aligned with business risks. This is driven by an information security risk assessment and alignment with strategic business objectives. For example, some enterprises do not have an external Web presence, like service providers that process credit card payments on behalf of merchants. Some do not have retail stores and only a Web presence. Security budgets include spending on protection according to the organization's business model.
Learn from the security incident or breach. Find out how it happened, how you can prevent it from happening again and how can you monitor when it and other channels would be subverted. Establish a strong and tested incident response plan aligned with your risk assessment results. There is no such thing as absolute security, but if you spend your cybersecurity budget on what matters, you can greatly mitigate and reduce overall enterprise risks when security incidents occur.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn a trick or two to increase your security budget
Find out how to shift security spending to detection and response
Discover how to cope with a limited security budget