Building an effective and resilient organization on a budget isn’t a small task. When it comes to cybersecurity budgets, there are many different aspects that need to be considered. Thankfully, alignment with industry best practice and recognized security frameworks adds a small amount of clarity to this challenge.

When presenting the webcast “It’s all about the price tag, baby!” during BrightTalk’s Economics of Cyber Security 2018 summit, I discussed the breakdown of an incident by touching on things such as conducting public relations, hiring a call centre, retaining legal counsel, bringing in third-parties to assist with investigations, and more. Quite a few of these costs are not expected or planned for by the organization. Due to a lack of business resilience, an incident can affect not only the financial side of the business but also the reputation. The court of public opinion, for example, can be an organization’s worst nightmare, especially following an incident if the public feels the affected company is lacking transparency or is ineffectively planning and protecting their personal information.

My point being, organizations can actually minimize, plan for and even take care of a lot of these unexpected costs by implementing preventative measures. That includes building a responsible cybersecurity budget using the following considerations:

  1. Ask your operations team what they feel is missing on a day-to-day?
  2. Does the operations team feel they need additional training, more tooling, further access, and/or more resources?
  3. When was the last time your organization did a risk assessment?
  4. When was the last time you held a table-top exercise with your incident response team, and has the non-technical incident responders ever participated in one?
  5. When was the last disaster recovery simulation run?
  6. Has the organization ever organized a cybersecurity maturity assessment?

If you are unable to answer the above (Read more...)