Making a Big Impact with a Small Security Budget
An excessive security budget isn’t the only way to build strong security
Enterprises invest a lot of money into cybersecurity, yet still they get breached. We need look no further than Yahoo! to see the hard, cold truth that if attackers are persistent enough, they will somehow gain access to the network eventually.
Vulnerabilities run across all sectors and sizes, leaving no one impervious to attack. So, whether you’re a Fortune 500 with a multimillion-dollar budget or a startup with nothing but a goose egg to invest in cybersecurity, your company will never be completely defended.
Does having a shoestring security budget put the small guys at a disadvantage? Not necessarily. Those organizations that are operating with limited financial or staffing resources can circumvent risk by understanding the strategies that will best enable them to remain secure in the ever-changing threat landscape.
What Constitutes Enough?
One school of thought is that companies can calculate how much they need to allocate to their security budget through a percentage, said Wendy Nather, director of the advisory CISO’s team at Duo Security. “If the IT budget is a certain percentage of revenues, the security budget should be a percentage of IT.” In other words, if the IT budget is $200,000, 10 percent of that won’t buy you much security.
But what if 10 percent is all you have? Let’s use the example of a startup. The entire company is only two people operating out of a garage. They can’t even afford an electronic garage door opener, much less build out a security operations center (SOC) and hire a full-time CISO.
Then there are smaller merchants that provide a service, such as yoga studios or other mom-and-pop shops that collect and store user information through a third-party provider. Maybe they even accept credit card payments online, which means they have to be PCI DSS compliant. An outside provider can bring and keep them into compliance for a meager $100 per year, and that might be all they need in their security budget.
What Should I Buy?
When it comes to making the decision on what to buy, the short—and often unhelpful—answer is, “It depends.” While that response feels like a cop out, the reality is that every business is different. Those distinctions create different risks, which in turn require different technologies to mitigate those risks.
Ask a hundred analysts and you’ll get many different answers depending on where those people are working. “The range is often somewhere between 10 to 31 different technologies,” Nather said. The good news, though, is that the average list addresses security needs such as PCI, which Nather said is a decent prescriptive list of what you should have as a bare minimum for an organization because it includes firewalls, encryption, logging and SIEM.
Operating on a limited budget is a reality regardless of the size of the organization or the total dollars allocated in the budget. Instead of thinking of the security budget in terms of total dollars, start to think about what security solutions are right for your business. There needs to be a cultural shift so that companies first think about whether a product is actually something they need to invest in.
In all likelihood, startups and smaller organizations don’t have the security expertise to do this themselves. Depending on the security technology you do need, administering and monitoring can demand a lot of people. That’s expensive. For SMBs, it often makes more sense to outsource. “The more providers you use, the more IT you use, the more you will need somebody to keep an eye on it,” said Nather.
Where to Start?
“At the very least,” said Nather, “you can start focusing on getting the most security out of what you are using.”
That means looking to see what you can do to ensure the security of your day-to-day equipment, such as laptops and phones and SaaS software for business communication, such as GMail. Chromebooks are easy to secure because they don’t store anything locally and have minimal software installed.
A lot of vendors offer free versions of their software to companies of a certain size. Those on a tighter budget can get started that way, even if they don’t have the money to invest in a lot of other products or services.
Regulatory requirements also are a good starting point, but it might be a better strategy to rely more on external expertise, whether that’s consultants or peers. “Organizations find value in connecting in a lot of different ways. Then they can fill in the gaps by vertical specific intelligence sharing,” Nather said.
Additionally, classes and online organizations are great places to meet other peers, as are local security meetups and conferences, such as the grassroots network, BSides. Lots of different ISACs are springing up and are great places to exchange ideas and expertise around regions or industry verticals.
One of the biggest challenges that all organizations are facing is the increasing lack of expertise, which is why across the industry security needs to be less technical and more user-friendly. “Make it so that you do not need security people to be able to secure yourself,” said Nather. “Organizations are running their businesses. They should not have to have degrees in cybersecurity to choose providers.”
