BLUF:

To optimize cybersecurity effectiveness while staying within a limited budget, my strategy focuses on a balanced allocation of resources. I suggest dividing the budget as follows: 50% for cybersecurity technologies aimed at establishing a Zero Trust architecture, 20% for incident response and recovery to ensure organizational resilience, 10% for security training to reduce the risk of human error, 10% for certifications and risk assessments to maintain compliance, and the remaining 10% as a discretionary fund for unforeseen threats. This allocation fosters a strong security posture through proactive defense, preparedness, and adaptability in a constantly evolving threat landscape.

____________________________________________________________________________________

Introduction 

Balancing cost and budget has always been a point of friction and contention within an organization. No organization has an unlimited budget, and as a result, compromises must be made. This is especially true in cybersecurity, where the tool you either build or buy will dictate your security posture. As the Chief Information Security Officer (CISO) for my organization, I would put the following balance in our budget for our cybersecurity strategy: 50% allocation to cybersecurity tools, 20% allocation to incident response, recovery, and business continuity, 10% allocation to security training, 10% certifications and risk assessment, and 10% allocation to a discretionary fund. 

Cybersecurity Technologies – 50%

The vast majority of our cybersecurity budget would go toward investing in the right tool to accomplish our strategic goals. The foundational architecture would revolve around Zero Trust in an effort to minimize any insider threats and prevent later movement. We will look at tools like Okta for Identity Access management to protect the identity layer. This would enable the implementation of role-based access controls (RBAC), attribute-based access controls (ABAC), and even some level of relationship-based access controls (ReBAC). This would be leveraged alongside Okta’s strong 2-factor and context-based authentication engine. For the network, a firewall and VPN solution such as Palo Alto, Cisco, or even Zscaler would be implemented. This would allow us to inspect inbound and outbound network traffic as well as build security control policies to protect our network. For our computers and servers, an endpoint detection and response (EDR) tool such as McAfee EPO is in tandem with an endpoint management solution such as SCCM or JAMF. This would allow us to set limits to what a user can do on their device, such as limiting admin access or enforcing software updates and patches. Should a device be compromised, our EDR solution would allow us to isolate the device and perform remote remediation. The logs from these tools, and others, would be fed into our security information and event management (SIEM) tool, such as SPLUNK or Summon Logic. This would allow us to save valuable information about what is happening in our network and alert our security team if a device is compromised or we see several failed authentication attempts for a user. This will allow a timely, efficient, and informed response to any security incidents.    

Incident Response, Recovery, and Continuity – 20%

The priority here is to develop an incident response plan (IRP) to ensure a measured and well-structured approach to a breach. The IRP would be a well-documented procedure that would outline every step of the response process and the roles and responsibilities of all involved.  As part of this motion, a recovery plan would be established, as well as partners to ensure data availability and backup. Pure Storage offers a suite of products that would be our primary storage and cloud backup service. In the event of a catastrophic data loss, a service like Iron Mountain would be used for our offline backup. Additionally, we would contract with a continuity partner such as Willscot in case of catastrophic loss of our facilities. Willscot provides mobile offices and storage units, allowing us to continue business operations and reestablish our network and critical infrastructure. 

Security Training – 10%

Our security training budget would be split into three buckets. The first is a comprehensive training program using KnowBe4, or something similar, to provide annual required end-user training. This would ensure our overall user population would be aware of the latest threats we face, from social engineering to phishing attempts. In addition to the training, we would conduct regular internal phishing simulations against our user base. This would reinforce our current training regimen with real-world examples and would also reinforce using our internal phishing reporting tool, Cofense Responder, and process. 

Certifications and Risk Assessments – 10%

Key to the security program is adherence to industry standards and certifications. To maintain alignment and adherence to standards such as NIST, ISO, and SOC2. To accomplish this, we would work with a third-party auditor (3PAO), such as Coalfire, to make sure we meet all requirements. We would also employ a threat intelligence service to understand what emerging risks may be out there and maybe specifically targeting us. Lastly, we would leverage tools such as Insomniac for automated penetration testing to help us identify and remediate vulnerabilities. 

Discretionary Fund – 10%

Not knowing where the next threat is coming from or what unforeseen impacts our organization may have, I would set aside a portion of our budget to be used when or where we see fit. This money could be used to purchase a new tool that was not previously budgeted for or increase a subscription. Regardless, having the funds available to pivot quickly where needed is crucial in today’s ever-evolving cybersecurity landscape.   

Conclusion

Fundamentally, security is about balance. Balancing the policies to combat the threat, balancing friction with ease of use, and balancing the budget with need. We need to account for the human risk, doing what we can to minimize mistakes. Tools and automation are part of this equation, as is training. But even the best-laid plan fails; that is where continuity planning is key. As the CISO, the breakdown outlined above will help my organization maintain a strong security posture, leveraging industry-leading tools while still being prepared for worst-case disasters.