Budgeting as a CISO: Software vs. Training

Posted by ehump001 on

With limited budgets Chief Information Security Officers (CISO) have to weigh the cost benefits of where they spend the department’s funds. The decision to increase spending on one item, means a reduction somewhere else. It is important CISOs include a reasonable sized budget for training staff on the risks of cyberattacks; however, the focus should remain on preventative software. Though employees are an important aspect of any cybersecurity plan there comes a point where the cost of the training no longer outweighs the benefits. Rather the CISO should implement strong training during onboarding and focus on software that can keep the organization secure. 

INTRODUCTION 

As the Chief Information Security Officer (CISO) for an organization it is important to strike a balance between funding the training of users and purchasing cybertechnologies to keep users safe. It is often overlooked that the first and last line of defense in any organization is its users, “unless employees protect themselves and the organization’s systems, even the best intrusion detection and prevention systems will fail” (Ansari & Dash, p. 2). An organization can implement multi-factor authentication (MFA), and build a robust, secure environment but if the users can be hacked- it’s game over. In our current cyber-climate, it is necessary to educate users of the threats and consequences of a cyber-attack, “… the weakest link in the security chain of any organization was determined to be the least aware employee in the organization” (Ansari & Dash, p. 4). Ideally, an organization’s CISCO would have unlimited funds to implement whatever is necessary to keep the organizations data secure, and available. But unfortunately, most are hampered by budgetary constraints. CISCOs must find the balance between training and purchasing software- and the cost benefits of both.

TRAINING 

As an organization prepares their annual budget it is necessary to determine how much can be spent on training. It is suggested CISOs budget approximately 3-4% of their total budget towards training users on information security threats (Spark, 2022). This allocation should be aimed at educating users throughout the organization about the importance of technology hygiene, creating complex and unique passwords, and social hacking. This training should be incorporated throughout the onboarding process of a new employee and continue through their career at the organization. CISOs and their teams should regularly test users by sending internal phishing attacks mimicking what they anticipate a malicious email would look like, and where it may come from. If a user clicks on the link or interacts with the email in a way that could have exposed the organization the user should be directed to a training site to complete additional cybersecurity training explaining the real-world consequences of phishing on an organization.  This training can be implemented with the help of a third-party vendor or can be done internally depending on the size and ability of the organization. 

Another important aspect that must be considered is the budget for training for the IT staff.  Once IT staff are hired, it is important to ensure that they remain up to date on new technologies. These additional funds, approximately another 2%, would be used to pay for conferences, workshops, and other training material for IT staff. 

SOFTWARE 

The vast majority of a CISO’s budget should be spent on preventative cyber software. Though training is a vital component of any cyber security implementation, protections provided by software acts as a fail-safe for the human aspect of using technology. This would include purchasing multifactor authentication software to authorize and authenticate users when logging into the organization’s network and implementing firewalls. An Identity management system should also be included in the organization’s software stack to help assign users privileges based on their roles within the organization. CISOs should also consider the costs associated with ensuring patches are implemented in a timely manner so known vulnerabilities are not left on the organization’s systems for an extended period. 

CONCLUSION 

As with every decision, there are cost benefits to consider when determining a CISOs budget. A good cybersecurity program should fund both training and software to provide the most robust security. While users are both the first and last line of defend in an organization’s security, there are instances where hackers by-pass the users and attempt to attack the network. It is necessary to have software in place to detect and prevent these sorts of attacks from bringing down the organization network. In combination, the use of software and training offers an organization the best cyber protection. 

REFERENCES

Dash, B., & Ansari, M. F. (2022). An Effective Cybersecurity Awareness Training Model: First Defense of an Organizational Security Strategy. International Research Journal of Engineering and Technology (IRJET)9(4), 1–6. 

Spark, D. (2022, November 3). Cybersecurity budgets. CISO Series. Retrieved April 9, 2023, from https://cisoseries.com/cybersecurity-budgets/ 

Leave a Reply

Your email address will not be published. Required fields are marked *