As the year comes to an end, now is the time to start preparing for budgets and fighting for departmental budgets is never easy, and when the case is for company’s cyber security, it feels all the more vital. It is very hard to make-believe the management the benefits of something so intangible as Cybersecurity.
There are various approaches to finding the right fit for the company and it usually depends on a lot of factors like-
- The value of data and information being protected
- The scale of security
- The IT budgets
Some approaches to consider
- One of the approach can be to keep 10% of the IT budget for cybersecurity. This way you can assure right amount of IT budget is spent on security. This budget can be further divided as-
- Cyber security awareness – 1%
- Security Policy creation – 1.5%
- Perimeter Solutions – 3% (includes DLP systems, firewalls, EWS etc)
- Trying out latest/new technologies- 1.5%
- Network awareness – 2%
- Specialized training for security team – 1%
- Another approach can be using GORDON-LOEB model to quantify the budget- the model is developed by researchers at university of Maryland. Using the model-
- Estimate the value of the information you’re trying to protect (e.g. your company’s sensitive data).
- Estimate the probability that each information set will be breached. Assign each information set a vulnerability score, based on its probability of being attacked.
- Prioritize the information sets by developing a grid, ranging from low value/low vulnerability to high value/high vulnerability. For each box inside the grid, calculate the potential loss by multiplying the information’s value by its probability of a breach.
- With a completed grid laying out the potential loss values for each information set, you can identify which ones are most crucial to spend your money on.
Budget Best Practices
Having too many security products in place and a lack of proper personnel management can spell disaster for your company’s IT protection in 2018. As you move forward with budget considerations, here’s a few more insights to keep in mind:
- Avoid partnering with multiple security vendors: It is rather foolish to follow this approach to use multiple technologies for same services. Avoid using different products and select the best suiting to the company’s need and budget.
- Audit current security solutions: Before consolidating, ripping or replacing, you must have a full idea of the security solutions already being used and the capabilities these provide. Once you understand their effectiveness, work to consolidate wherever possible.
- Dig deeper: Overall, the best approach to IT security in 2018 is to identify one or a small few security firms that you want to partner with. In this way, you can leverage these partnerships to dig deeper into emerging threats and create the most cohesive protection stance possible.