Four pragmatic approaches to prioritize your cybersecurity investments
Developing and prioritizing investment needs is not an easy task for most Chief Information Security Officers (CISOs). Most of them face strong budgeting constraints and need to justify every penny they request extensively. Some will only get significant spending approved after their organization experienced a significant breach. This article aims to provide a list of selected, pragmatic approaches that can help identify and prioritize the needed investments that will continuously improve an organization's cybersecurity posture.
Risk-based approach
Risk is a function of the likelihood of a threat actor exploiting a vulnerability in an asset, and the impact an organization will face shall the risk materialize itself.
This approach is a very well-known and widely described methodology. There are some variances to the approach but on a high level. It deals with identifying cybersecurity risks to an organization, estimating their annual rate of occurrence (likelihood), and the annualized loss (impact) the organization may face if a risk materializes. The risk with the highest annualized loss expectancy should be the highest priority to be addressed. Once risks are identified and scored, all the CISO needs to do is identify the most effective security controls that will mitigate them while having a significantly lower annualized cost than the risk’s annualized loss expectancy.
It sounds easy, but in practice, it is not. Good quantitative risk assessment requires an ongoing operational effort that will allow to monitor continuously:
- Assets in an organization and their value;
- Vulnerabilities affecting those assets;
- Threat actors that have the opportunity and intent to attack.
In my opinion, risk management is the best strategic approach to the continuous improvement of an organization’s cybersecurity posture. However, it’s still not that common, to say the least.
Let me share three complementary approaches that can be within reach, used in a shorter term, and support the decision-making process to avoid guess based or rushed investments.
Compliance-based approach
There are many standards and best practices that provide ready to use checklists to be used to identify missing measures.
There’s plenty of free resources among which the National Institute of Standards & Technologies (NIST) is worth mentioning. In their special publications, you’ll find almost everything needed to build a complete and robust cybersecurity strategy, policies, processes and procedures.
Risk management is the best strategic approach to the continuous improvement of an organization’s cybersecurity posture
“Experience”-based approach
Each Security Operation Center (SOC) or incident response team gathers valuable insights about specifics of a protected organization's security posture. It’s essential that for each security incident, this team communicates the following conclusions from their analysis:
- List of lessons learned and recommendations;
- Root cause of the incident;
- What/who finally detected the incident and how.
The above outputs give a direct hint about where the shortcomings are and what should be addressed with a priority. For example, if the most common infection vector were malicious Office documents during the last several months, then it’s a clear indication that mail filtering is to be improved first. Suppose, on the other hand, the security team seats idle in a large organization, and they don’t provide the CISO with such inputs. In that case, it most likely means there is something seriously wrong with detection and response capabilities. So again, an area for improvement was identified.
Prevent - Detect - Respond approach
This approach is a simplified version of the NIST Cybersecurity Framework, and it’s about matching security controls to these three areas:
- Prevent intrusion attempts
- Detect what was not prevented
- Respond to what was detected
This can be started by creating a simple table with these three functionalities as columns and putting existing controls in them. In many cases, solutions will overlap, and it is desired to have multiple means to cover the same area (defense in depth). The goal here is to avoid blind spots, and if such are identified, the next investment should likely be addressing those.
The example below shows a gap in Response capabilities while keeping a good balance between network and endpoint perimeter coverage.
Final word
It’s likely that most organizations out there are using elements from all of the above methods, and undoubtedly many more exist. And though they are all different, they do have an important element in common. This element is people. It would help if you had the staff be it your own employees or a service provider who has the needed expertise. If you do things just once for the sake of putting a mark in some checkbox and you leave them be, then you’re going to end up giving your executives a false feeling of security, not to mention wasting the money. Cybersecurity isn’t exactly a deploy and forget kind of a business.