Home » Security Bloggers Network » 6 Steps to Make Every Dollar Spent on Your Cybersecurity Program Count

6 Steps to Make Every Dollar Spent on Your Cybersecurity Program Count

by J.R Cunningham on May 21, 2021

“No organization has the security budget to be good at everything. A security program should show you where to spend and why, and track your security maturity and compliance in real time.”

-Team Nuspire

1 – Facing the Facts

Security programs are stuck in the past. Aging frameworks like NIST, HIPAA, FISMA and PCI provide boxes to check, but compliance doesn’t equal security. No organization can be good at hundreds of “things to do” or afford to do all of them.

In addition, resources are scarce and budgets are limited (and scary stories no longer work to get more money). What works for one industry doesn’t work for another – consider the extremely different needs of manufacturers and healthcare organizations.

No matter how much an organization spends on security, it seems like the bad actors are one step ahead. Ask five vendors what to do, and you’ll likely get five different answers. Many organizations continue buying technology in hopes of increasing protection. Showing return on investment, however, is nearly impossible.

A sobering fact?
A security program doesn’t exist that makes you more secure, takes into account your current defenses, identifies the threats most likely to attack your industry, and respects your budget. Until now.

2 – Persistent Challenges

The old approach to security programs isn’t working. We continue to hear familiar concerns and requirements:

I need help prioritizing security investments.
Traditional assessments don’t work for us.
I don’t want a checklist of 200+ things to do.
I have to justify security projects to executives and the board.
I don’t have a way to track maturity progress easily.
I’d like to know what my industry peers are doing in this area.
I’d like to talk to someone who has “been there, done that.”
I want to be compliant and secure.
I need visibility of my entire security program.

How does the old approach hold organizations back and limit security outcomes?

1 – Prescriptive frameworks

Every item seems to be equally important as you work your way through a list – No. 1, No. 2, No. 3 and so on – with no clear links to improving security.

2 – More is better

The notion of strengthening security “everywhere” to achieve high maturity in many or all areas – check, please! – is compelling but not realistic or necessary.

3 – Lack of clarity regarding new attack surfaces

Old frameworks don’t speak well, or at all, to cloud, mobile and digital transformation. No wonder spending decisions are difficult.

4 – Insufficient knowledge

Decision-makers are on a slippery slope without coordinated insights into security maturity, industry-relevant threats, and current defenses.

5 – Inadequate visibility

Technology overload compounds complexity and strains resources. There’s no way to pull it all together in one place, so you have to piece information together manually.

6 – Lack of trustworthy, reliable advice

Changing business conditions and industry nuances call for more than static assessments, generic recommendations or vendor lock-in.

3 – What You Need

The right vision can jumpstart a journey from old to new thinking about security programs. Start with what you need.

Need to Know	Need to Learn	Need to Show	Need to Go
To spend security dollars most effectively	About the adversaries active in your industry	To justify future security initiatives	To strategic incremental improvements
Gaps and overlaps in your current security program. Which specific areas of your program need to be strengthened to protect critical data. The biggest threat to your industry and what tactics being used.	Which threat actors. Which tactics, techniques and procedures (TTPs). Industry trends and emerging relevant threats.	A blueprint for maturing your cybersecurity program. A way to demonstrate and document performance over time. Industry-specific threat intelligence to prioritize spending and level of effort.	Recognize that legacy frameworks and tools are limiting. Become threat aware, risk-centric and adaptable. Control your destiny – know where you are and where you want to go.

4 – Industry Matters

An industry-specific focus identifies high-priority security requirements, relieving the pressure and cost of “secure everything” thinking. When industry factors play a strong role in your program, you can speed up your maturity journey.

	Key Threats	Key Security Control Examples	Recommendation Examples
Healthcare	Ransomware, personal health information (PHI) compromise.	Network segmentation, bio-medical device security, vulnerability scanning	Data governance policy, PHI encryption, network access control policy
Retail/Hospitality	Ransomware, credit card breach	Endpoint (point of sale) security, tokenization, encryption, dark web monitoring	CDE encryption standards, vulnerability management policy and exception tracking worksheet, OWASP standards for developers
Manufacturing	Loss of intellectual property, factory floor availability	Industrial control systems security, behavioral analytics for robotic devices, third-party identity management	Contractor and third-party access policy, ICS/IoT scanning/passive discovery architecture, change control standards
Financial Services	Website spoofing, phishing	Cloud security posture management, SIEM, behavioral analytics, vulnerability management	Onboarding/offboarding identity policy, cloud security configuration standards, cyber risk register templates

5 – Modernizing Security Programs

The new way of thinking about security programs hinges on organization-wide visibility and control and real-time information. Modern programs reflect all of the “what you need” points and incorporate industry-standard, well-known controls. Imagine being able to measure maturity on a scale of 1 to 5 and understand clearly which areas need to be a 4 or 5 and which, at 2 or 3, pose an acceptable risk. This is a progressive, sensible way to make decisions.

What makes a modern security program better and different?

Program creation. Facilitates the design and build of customized security programs step by step with specific, actionable recommendations.
Access. Enables you to view and manage your entire security program through a single pane of glass.
Basics first. Highlights which controls are essential to satisfy your compliance and security objectives and which can be next level.
Technology agnostic. Filters out technology noise by identifying what you don’t need anymore and what you need to fill gaps.
Adaptability. Absorbs new controls and maps them to new or changing organizational and industry standards.
Flexibility. Gives you the ability to dial up or dial down controls in particular areas.
ROI based. Allows you to make the best use of money, time, and people considering program gaps, industry requirements, risk profile, and goals.

6 – Outcomes

Change can be hard, whether it affects habits, thinking or behavior. We also know that security programs can’t go on as they are. To recap, these are the benefits of letting go of the past.

Improve Security Spend
Invest dollars where they matter most based on industry-specific factors, technology need, and level of effort.
Avoid Security Pitfalls
Know which projects to avoid because they are expensive and destined to fail in certain environments.
Prove Security Maturity
Track and show maturity progress over time – against well-known industry standards – to help justify security spending.
Maintain Visibility
Unify, integrate and automate your security program in a single dashboard.
Lower Risk Exposure
Take advantage of threat modeling to look at systems differently, home in on high-priority threats, and fortify defenses to protect your most valuable assets.
Keep Up
Adapt quickly to new business initiatives, industry trends, and the changing cyber scape.