Financial stress can be a cause for anxiety across all business departments, but if you’re in charge of developing a cyber security budget, you may be feeling extra pressure around this time of the year. While you know the importance of allocating a portion of budget to your organization’s security, without tangible evidence, it may be challenging to get the upper management on board. Your proposal may seem outlandish and get outright rejected.
So you need numbers. You need a quantifiable budget. But when the goal of cybersecurity is to reduce risk, how do you quantify this?
There are a lot of statistics that show the rise of cybercrime and its related costs. While these numbers provide a solid baseline, they don’t support your specific organization’s needs. You must find a way to quantify your organization’s unique financial and reputational risk.
We’ve broken the process down into a few, manageable steps that will help you prioritize your budget and speak the business language that will surely win over leadership.
Step 1: Identify your most important business objectives.
Step 2: Conduct a comprehensive security assessment to identify your greatest vulnerabilities.
Step 3: Quantify these vulnerabilities with a risk rating.
Step 4: Map the risk rating back to a business objective.
When you start by identifying your top business goals, you will have a better understanding of where to focus your budget based on what vulnerabilities hinder these goals. This will also resonate with your business leadership and they’ll appreciate where your head’s at. And, as an extra bonus, demonstrating that you can align security needs with the greater organizational goals is the first step to earning a seat at the leadership table.
But, how do you identify what those vulnerabilities are?
The best place to start is with a comprehensive security assessment, including a Network Security and Architecture Review (NSAR) and penetration tests (pen tests).
The NSAR will closely examine your current network configuration to identify weaknesses in your network security policy, procedure, design, and device configurations and rules. Ultimately, the NSAR shows what needs to be done to make the network as secure as possible, while also keeping it as usable as possible.
Like the NSAR, penetration testing helps organizations understand where to focus their security budget by identifying gaps in the effectiveness of current security measures. Penetration testing attempts to find vulnerabilities from multiple points of entry, including potential human, technical, or physical weaknesses.
Assign the results from NSARs and penetration tests a risk rating that takes into consideration the likelihood of an incident, the ease of exploitation, and the extent of damage to your business if the potential incident does occur.
By mapping each vulnerability back to actual data that could be compromised, you can easily identify the vulnerabilities’ overall business risk.
And, unlike traditional views on security, these assessments account for more than just products and technology, allowing you to focus your budget on other possible weaknesses- including staff and physical vulnerabilities.
Now that you understand your business goals and the greatest risks to these goals, it’s time to put it all together.
Let’s take a look at an example. Perhaps you’ve identified one of your business objectives to be to grow your customer base. Now let’s say you performed a penetration test that showed your employees are very susceptible to a simulated phishing attack. Since we know that phishing attacks have led to data breaches with significant reputation damage, you would have a high-risk rating in this category. By mapping this vulnerability as a high risk to impairing your business goal of growing your customer base, you may decide to prioritize employee security training when building your budget.
This process allows you to quantify your most critical vulnerabilities, create a case for how these impair your business goals, and ultimately build a focused budget.
After all, it costs considerably less to be proactive in security rather than reactive.