The whole Cyber Security world lies heavy on the mind of the head of IT. Every day brings news of new exploits by hackers, and the board are continually seeking assurances that the company has sufficient protection against digital threats. In larger organisations, cybersecurity has become a pillar of the corporate governance strategy.
There may be well-policed Cyber Security policies and procedures in place, and employees are well educated on threat avoidance. That in itself is more than many have, but it still does not provide 100% security against the new threats and attack vectors coming around every day.
Especially today, with CoviD a major threat to business, budgets are strained to the limit. Behind the relentless background noise is an insufficient and perhaps reducing budget to implement the Cyber Security environment that the IT security specialists say they need.
What can be done?
Simply put, two approaches are possible – increase funding or maintain security at the current levels.
On the assumption that maintaining existing levels for the foreseeable future is not a viable option, the only other option is to see how much more can be done with the currently available funding, or secure a funding increase.
Do More with Less
IT can do several things:
Unfilled vacancies. Don’t replace departing employees and use the budget saved for cybersecurity.
Consultants and contractors. See if replacing them with internal resources is an option.
Outsourcing. As an alternative, see which functions can be outsourced at a lower cost than operating them with internal resources. Outsourcing need not result in redundancies and staff losses if the affected staff are taken on by the outsourced organisation.
Defer projects. Rank projects by strategic need and pause, delay and defer non-essential projects to further down the list.
Defer non-essential maintenance. Not advisable at all, but delay, defer or reduce in scope all non-essential maintenance.
Review all external supplier contracts to see if there is scope for replacing an existing service level with an equivalent, but cheaper option.
Plead on bended knee for an interim budget increase specifically for cybersecurity.
Longer-Term Strategy for a Funding Increase
Project Shock and Awe
Take a leaf from the politicians. Educate the board in the gruesome facts about failures in cybersecurity, particularly in organisations known to them, competitors, for instance. Spin the stories with examples of how it would affect your organisation, and how current defences are insufficient to repel the newer threats. Do this repeatedly, frequently and often. Try to have a report tabled at each board meeting.
The objective is to make cybersecurity a budget item that goes through without discussion each year.
Show how the relatively modest budget increases needed to upgrade cybersecurity are a drop in the bucket compared with the costs of a full-on cyber attack. Make them so worried about cybersecurity that you will get what you want.
One point to note, try not to make this a solo crusade, as a possible perception is that the campaign is the rantings of someone intent in expanding their empire.
Separate the IT and security budgets
The overall cybersecurity environment is not just hardware and software. It contains elements of:
- User education and training to have users aware of malware and other threats, how to identify them and what to do about it if they see one;
- Access control and physical security to prevent equipment, particularly flash drives leaving the organisation undetected. Stopping data transfer from unknown networks should reduce IP theft and carrying malware to and from the corporate network.
- WiFi and BYOD. Allowing users to attach their own devices to the corporate network outside the control of IT has significant security implications, both from a physical equipment standpoint and data migration. New equipment, hardware and network components are urgently needed to implement security measures to counteract potential threats.
It intersects with HR, security services and building management, for example. Try to establish a coordinated approach to cybersecurity and create a joint budget of which the IT component is a part. Be careful it is not merely subtracted from the existing IT budget.
It, unfortunately, is a fact of current life that an upswing in criminal activity is coinciding with a reduction in funding available to counteract it.