“Money should be no object when it comes to cybersecurity” is a phrase often uttered by people who generally know very little about money and even less about cybersecurity.
Actually, money does matter. It matters a lot. If money didn't matter, even the most modest enterprise could hire a team of experts to work around the clock to build, operate, and maintain a military-grade cybersecurity infrastructure.
The truth is that cybersecurity, like any other business operation, has to follow a budget.
Budget Optimization
Security budgeting can be challenging since the vulnerability landscape changes daily. “We, as a cyber practice, do not believe there is a single magic software or platform,” says Rahul Mahna, managing director, managed security services, at risk and regulatory compliance advisory firm EisnerAmper Digital. He suggested creating a budget that adheres to three distinct visions: past incident reflections (to prevent repeating previous mistakes); current security needs; and future plans.
All cyber events and impacts aren't equal, nor are organizations equally able to defend against and recover from them. “We advise leaders to optimize cybersecurity spend by first working to quantify the risk unique to their organizations in specific dollar terms,” says Andrew Morrison, US cyber risk services strategy, defense, and response solutions leader at business advisory firm Deloitte. Cyber risk quantification allows leaders to calculate expected losses from a cyber event in dollar terms. “Through bespoke modeling and scenario simulation, it's possible to determine fairly accurate estimates of financial loss that could result from a cyber event -- and to help determine how cyber spend should be allocated and prioritized to more impactfully address those specific risks.”
Avoiding Pitfalls
Many organizations start building their cybersecurity budget under the faulty assumption that they will probably never be attacked. They then believe they can safely minimize their cybersecurity investment. “I can think of thousands of companies that felt the same way,” says Alan Brill, senior managing director of the cyber risk practice at governance and risk advisory firm Kroll. Most eventually learned -- the hard way -- that attacks can hit any enterprise at any time.
Read the rest of this article on InformationWeek.