The days of Information Security and Data Privacy budgets expanding year-over-year have started to slow significantly. The average Information Security/Data Privacy budget is close to 10% of the overall IT budget, but what we are seeing is spending at the 2020 limits and not growing as you would expect. Is Information Security becoming less a priority to management or the Board of Directors (BoD)? I would say no, and a study by the Ponemon Institute found that “83% of directors describe themselves as at least ‘moderately’ engaged with overseeing the risk of cyber attacks”( Cyber Security Becomes a Boardroom Priority | Directorpoint ). This is very significant and does not align with the data on slowing security budgets. What is the disconnect? We can see several trends and potential reasons, but the feeling seems to get the most out of what you have and avoid the new “shiny” toys. So, if 83% of the BoD cares about cybersecurity, and the SEC is requiring specific cybersecurity oversight (SEC.gov | SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies) by the BoD, how do Information Security/Data Privacy groups manage this?
This quandary requires IT professionals to take a much more business approach to safeguard assets and data and make decisions on a risk-based approach. This is not a new concept, but this is now a narrative that will resonate with senior management and the BoD and be the proverbial good story to tell. In talking with colleagues in different size companies and industries is to approach your strategic and steady-state operations is to bucket controls into four (4) categories and budgets based on criticality:
• Crown Jewels (40%)
• Technical (30%)
• Regulatory (20%)
• Administrative (10%)
"The CISO function is as much a technical expert as a business leader in our current data-centric world. This requires the CISO and information security group to be a partner and not in the Yes or No business"
The percentages are just an example, but would likely be close after your initial analysis. When I say Crown Jewels, it may overlap the other areas, but knowing what drives the company’s revenue and what is critical to the organization should be a priority. The CISO function is as much a technical expert as a business leader in our current data-centric world. This requires the CISO and information security group to be a partner and not in the Yes or No business. If a business process is facilitating a Crown Jewel component, then moving resources to safeguard that aspect should be imperative for any IT/Security leader.
The Technical controls can be adjusted based on the risk of the assets and data along with the culture of your organization.
The culture is important because a company that is not acclimated to strict controls can create user experience issues and can thwart the overall mission.
This is where a leader needs to build those partnerships, get management buy-in, understand the data and implement according. When we think of risk/cost and technical controls, the following items can provide robust security and not require substantial cost:
• Monitoring/SIEM tool
• Encryption in-transit
• Malicious Activity blocking, not just detention (there is a big difference)
• Incident Management Tool
• API Security
In our new world of seamless data provisioning, these items can provide appropriate data safeguards and not disrupt the business processes that drive profits, innovation, and required data sharing
The Regulatory side can be a difficult path to maneuver and is fraught with pitfalls and paradigm shifts in the legislative landscape. Every CISO has it ingrained in them that they need to meet all compliance guidelines or the world will end. This is not the case, but being adept at what is needed is critical. To meet this need the following items need to be in place to meet a broad spectrum of domestic/global compliance requirements:
• Data/Asset Inventory
• Ability to me respond to data subject access requests (DSAR)
• Partnership w/Legal and Internal Audit
The items above allow teams that need to run lean to hit the necessary marks and share costs/resources across the enterprise.
The Administrative side of the house is the least visible but pays dividends for the entire user base. This is focused on the user training, learning, and communications portion of the program. This requirement spans all areas and makes sure the employee/contractors are well versed and understand how to safeguard data and be risk-averse, when applicable. Another component is communicating initiatives to the user base and explaining/ ensuring awareness and buy-in. This is a lost art in organizations today, and being able to articulate the “why” and show what the business gets from the hardwork and push past the regulatory fatigue.
In conclusion, this is a fast-moving world, and if you don’t stop and look around you might miss it. If you follow some of the items detailed above can position your organization to optimize controls and allocate costs/resources most efficiently.