Living in the city of Atlanta, we have seen first hand what happens when an organization is not aggressive in addressing known vulnerabilities within their infrastructure. In addition, the recent Marriott breach proves the brand impact when cybersecurity programs aren't actively managed and hackers have extended periods of time to linger in a system. With all of these breaches in the news, I recently walked out of a meeting with an Atlanta area municipality and the conversation turned to the 2020 budget season. The Director of IT made a point of saying that the City of Atlanta breach that occurred in March 2018 did indeed raise awareness for him and his peers. It also emphasized the need for maintaining a clearly articulated cybersecurity program. This awareness has loosened up some additional budget to fund some of his cybersecurity initiatives. However, he also made a point of clarifying this doesn't mean unlimited access to funds.
With more and more of these breaches of cybersecurity occurring, it reinforces the importance of having a clear cybersecurity plan and budget laid out. One that can effectively communicate the program, the gaps, and the progress made year over year with the additional budget being used to fuel initiatives. According to Security Magazine, budgets are expected to increase by 15 percent over the next three years for cybersecurity across organizations – small and large. Utilizing a transparent and organized plan will allow you to clearly present the need for an increased budget allocation for cybersecurity at your next board meeting.
Source: Billington Cybersecurity
Why Allocating For Cybersecurity Budget Is Imperative
There are plenty of reasons why organizations are slow to act, with a lack of budget and resources being at the top of the list. In today's world where threats are constant, it is no longer just "Name Brands" that are being hacked. Any company or municipality that has gaps within its security is at risk. It is proving to be too costly to cross your fingers and hope it doesn’t happen to you. If you create a cybersecurity budget and plan that everyone in your organization is involved in it will help save you very costly hits to productivity, manpower, and other resources.
Organizations must fight for the budget to mitigate risk or they are essentially putting their head in the sand. In the City of Atlanta example, a $50k ransomware attack cost the city $2.6M to recover, far more than the hackers $50k ransom demand. Although politically unpopular to request more tax dollars or budget for cybersecurity, the changing landscape is requiring it. The City of Atlanta's lost productivity, delayed revenues to the city coffers, and the negative press will end up costing the taxpayers way more than an increased investment on the front end.
For many organizations, auditors and consultants play a fleeting role. Once the audit is complete, they provide a report of their findings aligned to a control framework like NIST or ISO27001 and move on to the next account. These reports (like the one received by the COA) often provide glaring insights into the gaps in an organization's cybersecurity posture. Unfortunately, without ongoing oversight or political will to invest in changes, these reports get put in the drawer when the next organizational fire drill takes precedence. Without an active, ongoing Cybersecurity Management plan with transparent executive oversight, many organizations are able to collectively "put their head back in the sand" and hope and pray that nobody exploits any of the known vulnerabilities.
There are plenty of reasons your organization should have sufficient cybersecurity budget in place. Here are three key points to justify the desired expense and why you should be creating your cybersecurity management plan right now:
- Cybersecurity incidents and breaches are very costly and can disrupt business operations for businesses of all sizes and industries.
- Your corporate perimeter may be locked tight, but you cannot be sure about your suppliers.
- With the increasing use of cloud-based services, your organization’s business data can be accessed from anywhere.
Source: Health IT Security
How Do You Do It?
To be able to get more money allocated for the cybersecurity budget you must clearly present the problems that are present without cybersecurity, the plan you will implement to protect the company’s assets, and justifications for the cost. Luckily, this is really not as intimidating to accomplish as it may sound. Organizations must build an ongoing Cybersecurity Management Program in order to communicate with their investors (be it a corporate board or taxpayer). Once you have this, it will be a lot easier to manage, as well as attain funding for. It is up to the organization to create a centrally organized "program" and use that as ammunition to justify increasing Cybersecurity budget requests. The challenge for many organizations is exactly how to start a Cybersecurity Management Program and prove it is worth the cost. Let’s take a look at the ways to make this happen:
- First, you can utilize auditors, cybersecurity consultants, and Managed Security Service Providers who can all help highlight existing areas of concern in your current cyber environment. Every organization has areas within their cybersecurity that can be reviewed and improved.
- Take the time to look into the myriad of cybersecurity tools available and find the ones that are a good fit for your business. There are resources and tools available, ones like Apptega, that can help you and your IT team determine where weaknesses may exist and execute a plan to resolve them. These tools help save precious resources and costs in the long run. If you are utilizing effective cybersecurity management tools, then when the auditors do come in, everything is centrally located and the process is collaborative and effective in highlighting areas to address in the upcoming quarters.
- Create your fluid, living, ongoing cybersecurity plan. It must contain action items that move your organization forward and protect against threats. One of the most important things to remember in creating your action plan is that it involves all of the people who are key assets across the organization, especially those people that control the overall budget. Just like any SMART goals, if your organization isn't writing them down and collectively assigning ownership, they will not gain momentum. Tools like Apptega are helping organizations drive this accountability process with a centralized Cybersecurity Management program.
- To ensure your program is covering all of the bases, start with an industry framework or best practice (like ISO 27001 or SOC 2) and build in other key controls to create a program unique to your organizational requirements. Instead of the program document sitting in the drawer, your organization will be actively "eating the elephant one bite at a time" and making the changes and investments necessary to improve your cybersecurity posture.
With today’s increasingly advanced digital age, Executive Committees want more insight into the organization's cybersecurity posture. CIOs and CISOs are becoming the new guest star at the Board Meeting. The core piece needed in every organization and municipality is a transparent and comprehensive Cybersecurity Management plan. Once you and your organization is engaged in the process of creating your Cybersecurity Management plan, you start to uncover areas of improvement.
Tools like Apptega Cybersecurity Management Software allow organizations to have a repeatable, centralized program that provides reporting transparency to the people that control the budget. Unlike a spreadsheet and one-time audit, Apptega assigns ownership and holds people across the organization accountable to individual components of the program. Our customers are highlighting the organization's strengths, areas of improvement and the gaining consensus on the plan to move the organization forward.
With an increased level of transparency, CIOs and CISOs are now able to effectively communicate with the Executive Committee and help them make intelligent, informed decisions on investments that balance risk versus financial commitment. In return for the increased cybersecurity budget, Boards and Executive Committees have a mechanism to see progress and hold the organization accountable towards hardening the organization's cybersecurity posture.