Are You Being Strategic With Your Cyber Security Budget?
The attached article shows some interesting statistics about budgets for cyber security. Evidently budgets have increased by 141% between 2010 to 2018. The more intriguing statistic to me is that 70% of breaches are caused by people and process failures. That makes me wonder how much of the cyber security budget is aimed at reducing people and process failures. From my experience the cyber security budget asks are for technological solutions, more than improvements to security awareness training. Did you know the FBI estimates that BEC compromise schemes costs organizations 1.3 billion in 2018? As you know that particular scheme is aimed directly at a process, the ability and capability of an individual to send payments. In addition, there seems to be an uptick in misconfigurations of cloud infrastructure, that is a training issue.
As budgets for cyber security continue to rise and be approved, it is the responsibility of the Board of Directors and the executive team to determine exactly what people and/or process failures are being addressed within the budgetary ask giving those are the biggest threats. Security and IT executives should be able to articulate where the money is going and based on the threat profile of the organization or its initiatives. Not just buzz words like AI, machine learning, security orchestration, etc. but how does the implementation of a specific initiative advance our cyber security and privacy responsibilities for the next five years. If the answer to the question is a blank stare, that’s a possible clue into the efficiencies or inefficiencies of your cyber security program.