How to Prioritize Your 2021 Cyber Security Budget – 5 Tips for CISOs

Our security needs have grown this year – yet, security budgets in the current economic climate are tighter than ever. 

According to a recent mid-year survey by Cyber Security Hub, 67.37% of cyber security budgets stayed the same or slimmed down in the last six months; and only 38.42% of CISOs interviewed expect their budgets to increase in the next six months. This is the reality despite the fact that, along with the rapid, worldwide spread of COVID-19, the number of cyber attacks has gone up.

So, how do you reduce your security risk in turbulent times with such limited spend? Without the budget, tough choices need to be taken. Here’s a quick look at the specific perspectives and interests of CISOs on the one hand and of the C-suite on the other hand – and some insight on how to bring these differing viewpoints together to get the most out of your budget for 2021.

1. Adapting to the Sudden Changes of COVID-19

The C-suite looks at things from a different perspective. The language is the language of risk – and cyber security is a top 3 risk category. Regulatory compliance, for example, is simply one of the risks – and many of these risks have changed suddenly as a result of COVID-19. 

The current language centers around the projects and the technology roadmap – for example, the implementation of Identity and Access Management (IAM), Endpoint Detection and Response (EDR) or Data Loss Prevention (DLP). This is happening too slowly, and last year’s roadmaps are likely obsolete. 

As companies have accelerated their digital strategies – and employees and third parties are working remotely – the risks have changed, particularly as much of the focus last year was based on privacy (e.g., GDPR). 

2. Understanding Your Spend from a Risk Perspective

Stated differently, perhaps, the C-suite must focus on making sure security investments directly reduce business risk in a way that can be measured and explained. 

Looking at risk like an insurance company means understanding the loss events, and mitigating as much of this risk through technology, process and training – then potentially purchasing an insurance policy for the residual risk. 

The C-suite will allocate more budget – if they can see the value in terms of risk. This is an important point because, while many see the Managed Security Service Provider (MSSP) market becoming increasingly commoditized, price is not necessarily the determining factor.

Cyber Security Budget

What’s key is to use a scenario-based approach to identify the risks associated with a top loss event. This approach evaluates the various approaches an attacker might use to achieve the loss event and identifies the prevention, detection and response strategies most prudent to achieve “acceptable loss.” 

Based on this information, we facilitate a business-oriented prioritization of each customer’s investment in detection & response. 

3. Assessing your Security Portfolio from a Risk Perspective

In the past three years, most CISOs have tried to capitalize on the many security innovations in a fast-changing market. Our experience is that many are now trying to understand the effectiveness of this portfolio – and reprioritize spend based on today’s business risks.

A company’s security portfolio is often a multi-layer “cake” of technical solutions in various states of adoption. The technology landscape is so dynamic, that this is changing in a matter of months. It is just as important to clearly explain if the existing spend is performing – as it is to propose new spend.

Our findings show that often 20–30% of technology spend may be removed with little impact on the risk surface. Organizations that adopt a scenario-based approach can assess the cost-benefits of the current technology investments – and make recommendations to optimize their security operations in accordance with these assessments.

4. It’s Not “If” but “When” – Cyber Security Looks More Like Disaster Recovery

As the attack surface expands due to the number and type of devices, and as employees and third parties work from home – and applications move from the data center to public clouds – security operations become more important and more complex. At the same time, the number of sources like Endpoint Detection and Response (EDR) and User and Entity Behavior Analytics (UEBA) is increasing, generating more alerts and exponentially more work. 

Many CISOs are losing sleep over the growing talent shortage and are therefore seeking to increase and improve security automation in order to reduce reliance on human security analysts for repetitive, high volume tasks. 

Others are interested in aligning security operations with IT processes via orchestration to drive down the response time. 

This is leading the trend toward handling the constant increase in cyber security threats through security orchestration, automation, advanced analytics and proactive threat detection and threat hunting. The key here, however, is not the technology but the security operations process or security "use cases" - including digital playbooks - and how well these are performing.

To explain the value of this approach means looking at a new set of metrics to help understand the value of security operations from a risk perspective. MITRE’s Attacker Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a powerful tool for improving cyber defense by creating a smarter security operations center (SOC).