Budgeting for Cyber Security for 2019

Cyber-Security Budgeting is a Layered Approach

Cyber-Security is arguably the hottest market right now.  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts?

The Basic Layers:  Reduce Known Risks

These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise?  Pick your poison).  Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered.  What we know:  attacks and breaches are increasing every year.  We have seen an 8x increase in incidents in the past twelve months.  So, our basic list has grown from last year.  You may ask:  why don’t you just follow the CIS top 20?  We agree that all of those 20 items are very important, but after working with over 250 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order.  If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:

  1. Email & Web security – Spam & Antivirus solutions
  2. Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
  3. IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
  4. Security patching for all hardware/software
  5. Endpoint protections – Antivirus/Malware solutions
  6. Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
  7. Check for consistent password and access controls across all of your platforms
  8. Encrypt portable devices
  9. Approve Basic Policies to establish guidelines
  10. Provide security training for users and IT staff
  11. Constant inventory devices on your network
  12. Review firewall, remote access/VPN, and wireless solutions regularly
  13. Comprehensive network documentation
  14. A proactive monitoring/logging/alerting solution should be in place
  15. Basic Incident Response capabilities
  16. Secure file transfer capability
  17. Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
  18. Evaluate your ability to perform these basic functions adequately – do we need managed services? 

Add Advanced Layers to Cover Blind Spots

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses.  If you do not have the in-house expertise available, you may need to rely on outside assistance.  Some items to consider:

  1. Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
  2. Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
  3. Compliment SIEM with MDR (Managed Detection & Response)
  4. Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
  5. Risk Management
  6. Vulnerability Management
  7. Mobile device management solution
  8. NAC – internal Network Access Controls
  9. Data Loss Prevention technologies
  10. Identity Access Management
  11. Forensic capabilities
  12. Application whitelisting
  13. Incident Response Table Tops, Red Team, Blue Team, Purple Team Exercises
  14. Information Governance

Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.

A Note for your CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

Note:  SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  We do not sell or broker hardware or software.

If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Why not just follow the CIS top 20?

Since we mentioned it, we will go ahead and put this list out here too.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

The 7 Key Principles guiding the latest version of the CIS Controls:

When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:

  1. Improve the consistency and simplify the wording of each sub-control
  2. Implement “one ask” per sub-control
  3. Bring more focus on authentication, encryption, and application whitelisting
  4. Account for improvements in security technology and emerging security problems
  5. Better align with other frameworks (such as the NIST CSF)
  6. Support the development of related products (e.g. measurements/metrics, implementation guides)
  7. Identify types of CIS controls (basic, foundational, and organizational)