As published in Security Magazine:
CISOs very rarely have all the finances they want to fund their security operations. Striking the perfect budgetary balance can seem like an insurmountable task when the overall organizational risk posture depends on it. According to Cybersixgill’s CISO Lior Marom, for CISOs to get the best bang for their buck, they must first consider the company’s business objectives and priorities, aligning their spend to support the accomplishment of the broader organizational goals.
Running a security operation is now a heavier task than ever before. Assets are moving targets because so many employees are still working from home — some likely will be for a while — and that means more possible vulnerabilities and less control.
Organizations are shoring up security by building out their tools and technology and hiring to close skills gaps. According to a recent Cybersixgill survey of 150 CISOs, 85% of CISOs have budgets of more than $1 million. A whopping 97% expect their teams to grow this year, with 56% anticipating growth of up to 10%, and a third – 34% – expecting growth of 11-20%.
How CISOs approach these technologies and hiring decisions will go a long way in determining how their security posture evolves this year and beyond. There’s an important balance to strike between the two, and you can’t determine the right mix without taking a step back to understand the business itself.
Which CISO Are You?
CISOs are defined by how they approach key decisions like technologies to implement and hiring. There are two major philosophies: Some CISOs are optimizers and some are satisficers.
Optimizers focus more on gathering as much data as possible and building ideal scenarios (good luck with that) before making decisions. They hold out for a bigger budget to address any issues that may arise. If the right teams and tools don’t exist already, an optimizer won’t be ready to start building or updating a cybersecurity system until they have enough information to know they’ve made the best choices.
Satisficers will of course wish for those ideal conditions, but they work within the current landscape and identify more solutions than problems when considering a security plan. In this situation, a satisficing CISO can prioritize what is best for the business and optimize the budget accordingly. Especially these days, CISOs have to do the best they can with the information available.
It’s no surprise that satisficing is the better approach. Still, to find the best available solution, you need to fully understand how the business operates beyond just privacy and security concerns. For example, knowing that the company plans to expand to Europe means GDPR compliance requirements are on the horizon. A new product for a healthcare company might introduce new HIPAA requirements.
When joining a new organization, spend the first month listening rather than offering suggestions. Learn about the objectives of the business, which will shape the scope and focus of security. Learn the organization’s culture. It may offer a glimpse into what resources – both financial and otherwise – are available to beef up a security team.
Finding the right balance between technological innovation and manpower is one of the bigger challenges for CISOs.
There are fantastic, effective tools and technology, but they can’t work alone. They need proper support, whether a DevOps team or a SOC team, to run and maintain these tools on a daily basis. It has become an expensive and necessary requirement and will only grow more important.
According to Gartner Inc., worldwide spending on security and risk management is expected to exceed $150 billion by the end of 2020, 12.4% more than companies spent in 2020.
Finding the right tech tools and deciding how to spend that money depends on the structure of your company. A cloud-based operation will want more automated tools for an automated process. Any company not working as much on the cloud will likely want to spend on human oversight of the technology. The answer always needs to be directly related to your business objectives.
You also have to develop a roadmap for those objectives. For example, if a new product or service comes along, you need a development cycle that prioritizes security and privacy by design. You might need a DevOps engineer to support that lifecycle.
Take an active approach in creating those protections. Instead of playing whack-a-mole and reacting to vulnerabilities that have already been exploited, be aware of the building blocks of your company and its operations as clues for what might be most at risk. If an operation is running on AWS, for example, be diligent about finding and tracking chatter on hacking forums about vulnerabilities with that platform. If that’s something threat actors are exploiting, you’ll want to know as soon as possible.
Finding the Mix That Works for You
Ultimately, the balance you’ll need to strike between hiring and technology comes down to your business objectives. Based on what your company is focused on and investing in, you can make decisions that support your CEO and CFO.
But don’t look at your security infrastructure as all or nothing. While an optimizer might have an uncompromising ideal in mind for the skills and tools needed to secure the organization, a satisficer takes a growth mindset. This year, it might make more sense to invest in threat intelligence tools. Maybe next year you negotiate for a bigger budget to build out your security team or expand the DevOps team. Instead of waiting for the ideal situation, work within the constraints you have to make the most impactful decisions around security.
The right balance between tools and skills will come down to where your company is and where it’s going. For every technology you’re testing, for every hire you’re interviewing, always ask how that tech or that hire will advance the company’s goals.