Cyber Spend: How To Protect Yourself Without Breaking The Bank

KPMG, for instance, has identified client data as its highest cybersecurity priority. “Since we are constantly embracing new technologies on behalf of our clients, we make sure to budget the capital to build cybersecurity into these solutions from the start and throughout their development,” Shields says.

The Where and How

The next question a CEO should ask IT is where the high priority data is stored—on premises, in the public cloud or somewhere in between. In today’s fast-evolving digital and data landscape, answers are not easy to come by. “While many companies may know which data they need to protect, very few can tell you with a high degree of confidence where this data resides,” says Ali. “Obviously, that is not an acceptable answer; CEOs must insist on a comprehensive accounting.”

Assuming this information is forthcoming, the organization is positioned now to assess potential risks. A good start is to study how other businesses have been breached. “We look for common patterns in these breaches, such as the lack of software patching,” says James Shira, global chief information technology officer at professional services firm PwC. “We then perform an assessment of our ability to defend against these patterns, which helps illuminate the specific exposures.… By drawing these parallels, we can better prioritize our capital resources.”

Max Solonski, chief security officer at publicly traded BlackLine, a provider of financial and accounting automation software, conducts formal risk assessments guided by the ISO 27001 framework, one of the most respected information security standards worldwide.

“Drawing from different sources, we review a variety of threats, such as current trends in cyberattacks and common exploitation methods,” Solonski says. “Then, we prioritize identified risks as applicable to our environment and allocate capital to establish controls that mitigate or minimize those risks.”

To assist the risk assessment process, Penn National CIO Britta Schatz leverages the insurer’s competence in measuring client loss exposures to calculate and score its known cyber risks. “We’ve defined and documented 75 specific cyber vulnerabilities, which we track and measure on an annual basis to assess changes in their likelihood of occurring and potential impact,” Schatz says. “We also add any new risks that are identified to our risk register throughout the year and then re-rate all risks annually.”

This process helps guide Schatz to determine the optimal composition of her security budget. “If the annual assessment indicates we’ve made adequate improvements in hardening the firewalls and anti-virus/anti-malware software, we may lower the expenditures in these areas and allocate the capital to something else, like training or the hiring of additional staff,” she explains.

All the interviewees’ security budgets have increased in the past year, in line with survey findings. “Our budget is rising every year, with an increasing proportion of it spent on people,” says Shields. “We’re looking to recruit top security talent, which is in short supply and expensive. We’re also spending more capital on training our junior security professionals, enhancing their skill sets. Anyone who joins our team must have their CISSP (certified information systems security professional) within six months, which we consider to be baseline training.”

Solonski puts a designated portion of his security spend toward education, with the capital funding different types of training based on the annual risk assessment. “One year you might provide training to salespeople on their infosec responsibilities, but the next year you might decide that more of the budget should go toward training data engineers on new security roles and concepts,” he explains.

Like the other security specialists, Solonski believes qualified people are equally if not more important than sophisticated tooling. “Since it is not possible to completely eliminate all risks, breaches will occur,” he says. “A sound, tested incident response plan will help minimize the damage, but it requires effective controls to detect the incident and highly skilled people to contain it as soon as possible.”

Time is of the essence. “If you detect within 10 minutes that someone has broken into the network, not much data will be stolen,” he says. “What you don’t want is to detect someone downloading data four months after the break-in. Tools provide visibility, efficiency and convenience, but you need people who understand your specific environment to make intelligent decisions, especially when responding to an incident.”

Small Businesses, Big Risks

While larger enterprises have more capital to address growing cyber exposures, midsize and smaller businesses must be more careful and considerate when putting together their security budgets. Shields’s advice is to focus on the fundamentals. “There’s no point having all the shiny tools like the latest intrusion detection software if you don’t have a solid foundation,” she says. “There’s much to be gained by effectively managing the configurations of the servers and firewalls and having good identity access management practices—providing access to data based on specific work responsibilities,” she says.

To improve Prime Equipment’s risk preparedness, Gasbarro is considering the value of a cybersecurity consultant. “Our IT team has so much on its plate right now, incorporating new technologies to enhance our equipment value proposition,” he explains. “I’m open to any and all advice. What I’ve seen these last few months has made me realize we’re just as vulnerable as anyone else.”

Read more: Cybersecurity Pitfalls CEOs Should Avoid