How Can CISOs Choose Among Limitless Security Options with a Limited Budget?
How Can CISOs Choose Among Limitless Security Options with a Limited Budget?

There has never been a more challenging time to be in charge of corporate cybersecurity.

CISOs are facing enormous pressure to keep their organizations protected against attacks, even as threats continue to grow in sophistication while budgets are limited and security skills are increasingly hard to come by.

Adding to the complexity of what CISOs need to achieve is the fact that they must bolster security while at the same time maintaining the expected performance of systems and applications for business users.

One of the greatest difficulties in securing IT environments is that threats and vulnerabilities are always morphing into something new. The modes of attack that bad actors deployed five years ago or even a year ago are no longer being used. They have found new and more insidious methods and methodologies for launching the attacks.

The problem is, the technology solutions you bought to address the older threats in many cases are still in use. Once the investments have been made it's difficult to rip out the products and ask for new ones to replace them, or even determine if the previous investments are still adding value.

Security vendors are coming out with new and better solutions all the time to help address the latest threats. But without the money to buy these tools, there's no way you can implement all of them.And money is indeed an issue. Despite the rising awareness of the need for stronger security at the highest levels of organizations, many enterprise cybersecurity budgets are not growing fast enough to keep up with the increased challenges. They're probably growing anywhere from 4% to 8% year to year, but CISOs still need to ensure they are spending any available funds in the most impactful way.

If your organization gets attacked, you might get some additional funding. On other hand, you might get fired and the next CISO will get the increase in budget while you're looking for a new job.

Limited budgets are not the only constraint. There is a severe shortage of security professionals who know how to use the latest technologies and create new and innovative ways of detecting and stopping attacks.

So what can CISOs do to overcome these seemingly insurmountable challenges? One of the best practices is to actually set up an environment where they can emulate the hostile threat landscape that's trying to steal their organizations' information. They can simulate common attacks such as malware.

By doing that, they can look at all the security systems they currently have in place and any new systems that they're buying and start doing sensitivity analysis on the environment. They can start shutting things off and examining whether their security posture get worse or stayed the same, and how the change impacted performance.

Every time you put one of these security devices in place, it slows down performance and ultimately the cost per bit goes up. What CISOs really need to do is test all their systems, make sure they're configured properly and performing well. After this sensitivity analysis they can see whether they really need particular systems, and how they can save money on something and spend it on something else in the future.

By taking this “preemptive intelligence” approach, security executives can make a good determination of which security tools really help address their unique demands on security posture and system performance. 

To be effective, however, the simulated attacks need to throw huge volumes of normal traffic at organizations, mixed with a smaller percentage of malicious traffic, to see how well systems perform. But the challenge is, sometimes organizations don't have the time or resources to set up the systems to create those realistic attack scenarios.

That's when they need to consider getting help from outside, in the form of an organized group of hackers who have been out there doing this sort of thing for a long time. They should have experience in virtually any kind of attacks: network hacking, application hacking, device hacking, mobility hacking, Bluetooth hacking—all of the things that people care about, because IT environments are so complex today.  Today's attacks are equally complex, potentially leveraging mix of vulnerabilities between devices, applications and networks to gain access, which is why you need to augment your team with security professionals that have experience with all facets of the attack surface.

Another good practice is to narrow down the types of attacks that your organization is likely to face, or the types of data that's likely to be attacked, and focus on defending against those incidents. For example, certain types of attacks are aimed mostly at financial institutions, others are aimed at healthcare companies.

Some sectors, such as government, have a more difficult time doing this because they face such a wide variety of attacks. But by segmenting the attack vectors and focusing on protecting the most critical and desired data, organizations can deliver more effective security.

Finally, when it comes to security and security technology, don't forget the importance of education. Not only the education of employee regarding secure processes, but the education of management about which products make the most sense to deploy, and articulating the value each are providing to reduce the cyber risk to the organization.