Cyber Security Budget Shift Happens: What Action Can A CISO Take?

In Why Is Top Cyber Security Taking Flight, Cyber Security Hub first noted a striking outcome from our Mid-Year Survey that will further be featured in our Mid-Year Report: 40% of the cyber security community has not changed their mindset in the face of the global pandemic.  Another result from the survey referenced in the piece and which will be featured in the report is that 20% of top cyber security talent has been let go.

It is with that construct that we consider yet another result from the Mid-Year survey- 67.37% of cyber security community budgets have decreased or stayed the same over the past six months. (All survey respondents completed the survey between May 17^th and June 8^th).

Cyber security budgets static or decreasing

To put 67.37% into context, consider that 59.42% said they had an increase in budget just one year ago in our May 2019 report. That means budgets are upside down from where they were just 12 months ago.

While there was a slight decrease from the middle of 2019 to the end of 2019- it was negligible- meaning over half of the cyber security community noted that budgets were increasing last year. And now midway through 2020, not even one third of the community sees budgets increasing. That’s a marked shift.

A macroeconomic cyber security theory

One might posit the theory that even before the global pandemic, global corporate enterprise anticipated an economic downturn and in turn- decreased budgets. But that now in the wake of the global pandemic- with attacks on the rise- budgets will surely increase. Contrast that theory with what the community thinks will happen to budgets in the next six months- only 38.42% expect an increase.

The best-case scenario from the community is that less than 40% will increase budgets. The best-case scenario is a 1/3 drop in increased budgets.

And so there are two potential outcomes...

Do with less or fight for more

In the “do with less” corner, we have Dennis Leber, current Chief Information Security Officer | HIPAA Security Officer for The University of Tennessee Health Science Center. Dennis is the inaugural CISO at the Health Science Center. Prior to taking the position at the beginning of this year, he was the Chief Information Security Officer for the Cabinet for Health and Family Services (CHFS) of the Commonwealth of Kentucky. So Dennis was simultaneously working in the highly regulated healthcare industry while working within State Government. GRC were his middle initials (and he might even have them tattooed on his arm).

The term “Fort Knox” is sometimes used eponymously for the concept of security- and that’s a global understanding. Fort Knox Self Storage has a lock in its logo and it’s located in Vermont…Australia.

That’s a long way to give further credence to Dennis’ point of view. You see; he was

System Administrator/Information Security Management Officer for the US Army at the actual Fort Knox. He was responsible for InfoSec at the Fort Knox of Security- you can Google it.

Cyber security and the instituion goals

So when he says, you don’t need money to become more secure- Dennis is not just blowing smoke- he means it.

He notes that there are a ton of free resources from NIST that you should devour. He tipped his cap to us here at CSHub.com as a good free resource for good information. And for good measure, we quoted the NIST Cyber Security Framework in Cyber Security Tactic & Strategy.

But his advice is not to simply do things with no resources. His bigger picture view is that to properly protect the enterprise, you will need monetary resources- but that those monetary resources can and must be justified in a straightforward fashion. As he says it, “simplify things to help build trust and confidence.”

At the top of this piece, we reference the 20% of the cyber security community that was let go. The key is to have the knowledge that they were not ‘made redundant.’ Dennis notes that you have a responsibility to your organization- let alone your employees- to ensure that everyone understands exactly how each person is tied to the institutions goals. He notes- if the business value proposition is “People helping people,” it’s your job to be able to explain to the employee (let’s call her Nancy) how her pen-test directly helps deliver that value proposition. And further, it’s your job to ensure that the C-Suite really does understand how each and every pen-test delivers on that institution value proposition.

One non-action does a breach make

But don’t stop at cyber security awareness. At that point dive in to the deep end and explain that each of Nancy’s pen-tests are currently being performed by Nancy for the respective percentage salary cost of her time spent. Further, if Nancy didn’t do each of those pen-tests, explain the decrease in your threat intelligence, explain the vulnerability that wouldn’t be managed, explain the potential attacks that wouldn’t be thwarted and explain the breach that could occur.

The dollar cost of that breach, plus the future IP cost of that breach, plus the cost to the perception of the brand when the breach hits the headlines- explain all of that. Then ask- is it worth saving Nancy’s salary to expose us to that much risk?

No matter how bad the books look, what sane CFO would say yes?

Fight for more

So the end of Dennis’ “do with less” suggestion is in fact the beginning of Nokia’s Head of Security and Privacy, Suresh Chawdhary’s “fight for more” suggestion. 

When informed of our Mid-Year Report downward facing budget result, he calmly replied, “if your budget has remained the same for the past three years, it's means you are not doing a good enough job making the business case.”

Dennis explained that with no new resources we could get a new agreement that we’re not going to let Nancy go and at least keep the budget the same. But Suresh is suggesting that we could and should increase the budget.

Is your C-Suite and Board aware of the intelligence, tools and collaborative network of cyber criminals and state actors that your cyber security team is up against? Your team is aware and you’ve done a good job conveying the importance of cyber security across the enterprise- because each person knows that if they fall for that phishing email- your enterprise breach could be their fault. So that’s powerful.

Suresh suggests that that same force of knowledge must be behind your making the case for increasing your budget next time you have the conversation.