Despite the urgency of cybersecurity, every company has budget limitations. In this guest blog, John Carder, CIO at Messer Construction Company, shares tips for strengthening information security when resources and money are limited.
Protecting enterprise assets from internal and external threats has become one of the highest priorities for IT leaders. Providing effective security requires the intelligent use of your company’s resources, while staying within those ever-present budget limitations.
The security challenge is more complicated than most people think due to a constantly-changing threat landscape and regulatory environment, and the need to quickly identify and address the threats that present the greatest risks to the company.
The threats are more sophisticated and damaging than ever before. They show up in random ways, they strike fast and produce ever-increasing yields for the cybercriminals. Furthermore, as most security professionals know, no enterprise can ever be fully protected from a determined malicious actor with a wealth of resources to direct toward finding a weakness in your defenses.
So, how exactly do you shore up security when resources and money are limited?
Get a Cybersecurity Executive Sponsor
First, be sure to secure the support of a strong business sponsor, typically a C-level executive who has authority and respect throughout the company. Many IT initiatives fail without one. As it is, the expectation is already high for IT to optimize spending year over year while maintaining a secure computing environment. In addition to “doing more with less”, IT is tasked with strategic initiatives such as driving the digital transformation of the business. You will not be able to take on these more strategic initiatives, and be successful, if you are consumed with an endless list of low-risk security projects.
|Related Article: Making Cybersecurity a Business Priority|
Assess Risk and Make a Plan
The challenges are many, but they are manageable with the right plan in place to identify and address the most significant security risks facing the company.
Conduct an assessment, or consider engaging a top security consulting firm to:
- Identify regulatory risks the company faces, and develop a remediation strategy and a plan of action.
- Identify and quickly address any known critical vulnerabilities that present an immediate and material risk to the company, taking into consideration internal and external threats.
- Define the scope of your threat assessment and identify gaps in your security posture. Weigh each threat, factoring in likelihood of occurrence, impact, severity/materiality, sensitivity, costs and risk tolerance, and partner with the business to make joint decisions regarding which risks to address (avoid, mitigate or transfer) and which risks to accept. It’s important to note that compliance and reputational risks cannot be transferred.
- Develop and regularly test and validate an incident response plan – you will need this in place prior to an event.
- Quantify the investments needed to mitigate and/or remediate all actionable risks, and
Once you know your key risk indicators and your company’s risk appetite, you can execute the strategy. Start by developing a security roadmap that takes into consideration the risk tolerance and expectations of the business. Tackle the regulatory and higher risks areas first.
|Related Resource: The Ultimate CISO Job Description|
Don’t Spread Security Investments Too Thin
Make the security ecosystem difficult enough so that hackers who are looking for easy targets go somewhere else. You don’t have to over-invest your limited resources in too many forms of security or even in too many areas of the enterprise. Invest in the right ones.
Over-investment in areas that pose a small amount of risk actually results in a less effective security program. I liken this approach to a “prevent defense” in football – that is, it opens up more opportunities to exploitation because the defensive posture is spread too thin and there is not enough depth/rigor in the areas that matter the most.
The best practice is to tackle and address the most relevant and critical vulnerabilities first. Perform this combination of vulnerability assessment, security patching/fixes, and penetration testing on a routine basis and anytime the environment materially changes.
Consider outsourcing security tasks that can be performed better and cheaper by a qualified managed service provider. If you choose this option, ensure service level agreements are aligned with your business objectives and talk to your vendors on a regular basis, holding them accountable for their responsibilities.
Create metrics to track progress and results, and share the results often – at least on a quarterly basis – with the leadership team, even if the results are below expectations. This will spark valuable discussion around continuous improvements, provide transparency with respect to your challenges and workload, and might even lead to further investment in security by the business.
Put Employees at the Center of Security
Securing an enterprise is ultimately the responsibility of every employee in the company, so get them involved. Some IT leaders mistakenly take sole responsibility and ownership of security, while it is the employees who are on the front lines of data management, digital technologies and communications. They are the ones who can expose the company to potential threats such as malicious email links and attachments, websites, software, and even the distribution of confidential information. IT needs to ensure that each employee knows his or her role in protecting company assets.
Be sure to consider any cultural mores; for example, does your company allow employees to stream music or access social media over the corporate network? IT may view this in a negative way because it reduces limited network bandwidth that is needed to support key business functions, yet the company’s leaders may view it more favorably because it enhances employee morale. Avoid making unilateral decisions, like blocking streaming music services, which can result in a disconnect between IT and the business. Once the enterprise security strategy is well-defined and you have secured executive buy-in, IT needs to educate and train all employees.