Entry 4

The costs and benefits of developing a cybersecurity program within a business vary from company to company. Cost is also dependent on the budget the company cuts out for cybersecurity, which makes it difficult for CISOs to give businesses a percentage to cut out. However, there are five main categories all organizations can consider for their cybersecurity budgets and those are: Compliance, Ongoing existing risk assessments, Ongoing security training, New business initiatives, and Business priority shifts. Compliance regulations dictate security budget allocations depending on type of data and privacy measures necessary for the type of business and consumer needs. Ongoing existing risk assessments, continuously monitoring the efficacy of security controls and adapting them or calibrating against prevalent attack vectors. If current tools and security measures do not stack up to the current risk or threat, budgets need to reallocate or be made higher to compensate or agree to accept the higher risk levels. Tools and services in this category are cyber insurance, penetration testing, bug bounty initiatives and incident response. Next is ongoing security training, employees as well as management should be in the know when dealing with cybersecurity and shouldn’t be treated as another annual or monthly check in the box type of training. A best practice for any type of security is prevention and knowledge of when an incident or attack is happening and how to deal with it along with recovery. New business initiatives, business priorities shift and so does its security methods needed for it along with a whole new budget or, if able, to reallocate its budget. Companies could outsource to third parties, or customers’ information could be stored in a cloud storage platform or even within the company’s own network. This provides new risks and open avenues for threats. Lastly, business priority shifts, this could be people, technology, or monetization. Considering people, this could be work from home or abroad and the ongoing threats that poses as some may use their own personal network instead of a business provided technology. Technology refers to such things as the use of cloud technology or outsourcing. Each shift requires reassessment and reallocation of the budget.