As a (CISO) Chief Information Security Officer who is incharge of a budget for my
company here are some ways I manage training and additional cybersecurity technology for my Company.
How does one go about balancing between choosing to train on practices that will protect a data system versus adding additional cybertechnology? Well to start I must consider the types of threats that the organization will face. Will they be physical threats like bombs or hurricanes, or will they be cyber threats like data breaches? Most of the time it will be a mixture of both for companies so finding the balance between the two is crucial. It is important to consider adding protective measures, as this limits vulnerabilities, like having security cameras and restricting access control (ICF International, 2016, pg.31,33). Cyber Technology is important, but I feel that training can play a bigger part; therefore, I would allocate more money to this sector. Training, to me, reigns supreme as even if you have equipment, you don’t necessarily know how to use it or what to do if it fails you. Training that is more job specific should be required as employees a part of the time need to “identify vulnerabilities of procedures, designs and maintenance activities” (ICF International, 2016, Pg.33). There is another tool that can help calculate the budget for a company. Interpretation Cost Estimates (ICE) is a calculator that can help organizations entities estimate costs, and the financial impact associated with the reliability improvements (ICF International, 2016, Pg.34). Keeping this in mind, let’s consider how a company’s insurance will play a part in the budget.
Something that is also very crucial to the budget is to consider how much Insurance is for
the company. Insurance is commonly used as a measure of risk prevention, even though it isn’t
minimizing the risk of a cyberattack. It does, however, help manage the risks through
mitigation, accepting, or transferring the risk to insurance (ICF International, 2016, Pg.81). So, what would be the most beneficial for a company with a low budget? Accepting risk is the best
fit for companies with low budgets, as it is often through self-insurance (ICF International, 2016,
Pg. 81). Keep in mind that this type of insurance is traditional, therefore it would not cover
certain kinds of cyberattacks. Although it is relatively new, Cyber Insurance can aid an
organization when it comes to data breaches and business disruptions via cyberattacks (ICF
International, 2016, Pg. 86). This kind of insurance can be beneficial, however there are some
cons to it. This kind of insurance specifically is difficult to price and therefore can throw off a
budget completely, so I am not sure I would use it with my company (ICF International, 2016,
pg.86).
To conclude, although cybertechnology and training should be balanced fifty in me
budget, I would allocate more spending toward training. I would also choose to accept risk when
it comes to insurance if my budget is on the lower side as it is the most budget friendly. Finally, I
would direct some of the budget to research on cyber insurance and training methods.
Resources:
ICF International. (2016, June). Electric Grid Security and Resilience | Establishing a
Baseline for Adversarial Threats. Department of Energy. Retrieved November 6, 2024,
from https://www.energy.gov/sites/prod/files/2017/01/f34/Electric%20Grid%20Security%20an
d%20Resilience–Establishing%20a%20Baseline%20for%20Adversarial%20Threats.pdf.