The potential threat of cybercrime is rising fast. According to a study conducted by Bromium during the final quarter of 2018, the UK was stung by 140% more cyber-attacks than the previous year. This spike in malicious activity also caused nearly 40% of SMEs in the UK to experience at least one cyber security incident.
These are pretty alarming statistics. So it’s unsurprising organisations across the country are ramping up investment in their security protocols. However, many are still put off by the perceived costs, or by the bewildering range of tools and services available. Simply throwing more money at the problem isn’t enough to address security concerns. Increased budgets need to be spent in a wise and strategic way to get optimal improvement.
To get to grips with managing cyber security budgets, we spoke to James Packer, Head of Cyber Security at Education First. James also is President of the (ISC)2 London Chapter; a regional chapter of the global Information Security Consortium, whose mission is to bring security professionals together to share knowledge and drive innovation in the field.
Security on a shoestring?
Managing a budget is of little significance if there’s hardly any money to begin with. And underfunding is commonly cited as a perennial problem by security teams. But as James explains, the severity of the problem varies considerably depending on who you ask.
“I have observed fairly consistently that the cyber security capabilities within many organisations lack the funding they seek to best enable them to do their job; and in some cases, severely so, if not entirely unfunded. However, assessing whether a cyber security capability is underfunded is really a matter of perspective. In fact, there is rarely any form of agreement until you reach the board level. Ultimately, what drives the investment in a security capability is the risk appetite of the budget controllers,” he said.
Given what’s a stake, a reluctance to increase investment in security may seem illogical. But often, hesitance arises due to reckless spending in the past. If there’s no way of demonstrating how previous investments in security have paid off, board members certainly won’t be in a rush to loosen the purse strings again.
“At times, being reserved with a cyber security budget is justified. It’s not uncommon for large cyber security budgets to be consumed in full or even overspent with very little perceived improvement to the overall security posture. Transparency is key. With that said, an organisation that does not invest at all in cyber security is exposing itself to very real risks. And unless they operate solely on paper, it’s just a matter of when, not if, they’ll be attacked,” said James.
Making the case for greater funding
Despite all the headlines about data breaches, growth-oriented executives still tend to prioritise other expenses over security. So the problem isn’t necessarily that the money isn’t there, it’s that security usually loses when it competes for resources with other operational priorities. “The view that security doesn’t contribute to the bottom line is unfortunately common, but also woefully outdated,” said James.
The challenge then is for security leaders to convince the board that cyber security is as important as other priorities and is necessary to protect current revenues. Something which security professionals haven’t been great at historically. James explained that traditional approaches to security, although well-meaning, were usually counterproductive when it came to getting buy-in from the board.
They tended to be defined by rules, setting out long lists of things an organisation cannot do. This would then progress to a stern telling off when the organisation did step out of line. “Security professionals had to learn the shortcomings of this approach the hard way — often by being blocked from delivering, ignored, or by getting frustrated with repeated ‘no’s,” said James.
Due to this, modern approaches are quite different. There is a much greater focus on demonstrating the added value good security practises can bring. So how exactly is this being done?
“Modern security teams are moving to position themselves as core pillars of the organisation; just as fundamental and essential as finance, HR or IT. Security teams are turning to outlining, inrelevant business terms, the results of not taking action. And conversely, what an organisation may instead be able to do if these risks were treated,” said James.
A few good examples of this are:
- Law & regulation — outlining the size of the fine an organisation may be subject to if the organisation did not comply, and where that money may be better spent.
- Real-life/technical scenarios — demonstrating how much staff time (and therefore budget) was wasted dealing with phishing emails over the course of a year contrasted with how much budget would be required to deal with the root cause of the phishing.
According to James, the most successful pitches to secure investment are those centred on positivity. Fear-mongering should be avoided. The focus should be on what the business is set to gain by investing in security.
Getting the most out of your security budget
One of the most common misconceptions about security is that it’s expensive. Really expensive. However, while this is generally true for very large organisations, not all investments in security need to include several zeros.
“I’ve actually seen numerous times that this misconception blocks any investment altogether. It’s viewed that ‘we can’t afford it’ or ‘what we can afford will not be enough’; and that simply is not the case,” he said.
So how did this perception become so pervasive? It’s because costs vary widely depending on what you are trying to achieve. For example, there’s no getting around the fact that a big part of reducing technical risk is dependent on security tooling.
“To really cut down technical risk, you need good tooling, that usually also has to be heavily customised. Furthermore, with elastic and cloud computing rife in modern day business, the volumes and variety of data sources increases the resource requirements for tooling to cover all of these assets,” said James.
But security involves much more than tools alone. There are many other viable options to reduce risk. One of the other major areas for security investment is in people.
“This can be in a number of ways; from increased security personnel headcount, to training for existing staff (general awareness training or specific security training) to external consultation fees. However a common view is that, from the perspective of investment efficiency, tooling is a more cost vs coverage effective investment, and to a degree that is true. But investing in people can be achieved at a lower cost and be just as effective.
“The key to savvy security investment is prioritisation; quantitatively driven, risk assessment focused decisions on the priorities of the business and biggest areas of weakness. I’ve observed organisations move from zero security investment to investments in the tens of thousands; which has lead to an immediate improvement in assurance and confidence because it was focused on the key issues that really kept staff up at night,” said James.
Factoring insurance into your budget
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organisation mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.
Given growing concerns over security, it’s hardly surprising this market is growing rapidly. In 2017, 31% of UK companies did not have cyber security insurance. By 2018, that figure dropped to 10%.
“The risk exposure involved in not having it in place is simply astounding in some cases. Take, for example, the Equifax breach in 2017. Equifax estimate the costs of their security breach to date is $1.352 Billion, including a $690 Million accrual against future litigation costs. They did have cyber insurance, however only to the value of (a rather measly in this case) $125 Million,” said James.
Obviously this is a pretty extreme example, but it does bring into sharp focus how organisations should think about incorporating insurance to help manage security risks.
“I’m not by any means saying that all businesses should rush out and buy billion dollar cyber security insurance policies, but not having one at all is a risk I feel most responsible business owners should not take.
“In time of course, the ideal scenario would be that businesses invest in their cyber defences proactively, reducing the potential for that insurance policy to be called upon. They’ll then benefit from reduced premiums as a result of a no-claims-discount,” said James.
How to respond to budget constraints
Having a security budget large enough to cover all bases is a rare luxury. Despite solid pitches for additional funding, sometimes security will still fail to make it onto the priority list. For most security teams, the goal is to get the most out of available resources. Even if they fall far short of optimum levels. Given this, we asked James for key pieces of advice he’d give to security teams in those situations.
“First, you must understand the business you are trying to secure. Without aligning to the mission critical objectives, your requests for funding will always be seen as money disappearing into a black hole. Focus on how you can enable the business to succeed with those mission critical objectives, securely.
“Secondly, when you lack funding, in my experience, one of the biggest gaps that most cyber security capabilities perceive are those “holes” that tooling would cover. Whilst this is frustrating, this represents an opportunity to highlight the technical risk of this, but in business terms. Flag the risk, planely, simply, objectively. Make sure the right people are aware of and understand those risks. If they choose to accept the risks once informed, it may enable to you get a form of closure and move on to something you can influence.
“I’ve seen countless professionals burn out due to the stress of a less-than-perfect (and less-than-secure) information system. Do yourself a favour, pass that stress on to someone with the power and funding to do something about it!” said James.