The cybersecurity budget must be allocated first and foremost on employee training, and
secondly on cybersecurity technology. When it comes to training and technologies, both must be
tailored to the company’s standards, and be built around the employees that work for it in order to be effective and efficient.
A TRAINING PROGRAM THAT FITS
Before a training is formed, it is important to identify the security goals. What are the assets to be
protected? Are they mostly physical assets? Are they mostly virtual assets? Are they a mix of both? Is the data accessible on the network? On the cloud? On mobile devices? Once these questions are answered, then a training program can be built to address the threats that would result from the specific vulnerabilities that would apply to a company. The next step would be understanding the employees. Determine whether the employees are mostly IT workers that would understand industrial jargon or not. If the employees mostly work at home or work different shifts, an online training with accompanying exam or Quarterly Zoom meetings will be effective. If employees work at an office, an instructor led training session will be more appropriate. Understanding the audience is important in making sure the training is accessible by all of a company’s employees. Training should begin at on-boarding and refresh regularly (Forbes, 2023). In addition, Forbes Expert panel recommends a program that is easy to understand, implement and audit (Forbes, 2023). A red and blue team internal audit structure would be beneficial to the company to ensure cybersecurity compliance and to identify key areas to go over and improve in future cybersecurity training. Despite the audience, training needs
to be given to everyone in the organization. “The key to effective training, even for technical and SME staff members, is to stay current on the latest trends in attack vectors and exploits and train all staff to spot them regularly” (Nath, 2022).
IDENTIFYING CYBERSECURITY TECHNOLOGY
Cisco recommends that the main entities “computers, smart devices, and routers; networks and the cloud (Cisco, 2023)” be protected. Technologies to invest in need to be easy to use and should fit the company and employee use case. If a security suite or service is too complicated or hard to use by the user or system admin, then it is not effective at the least and at the most can pose a security risk or vulnerability. It is important to fit the use case of the company as well. If most work remotely, investment in secure mobile phones and laptops would benefit the cybersecurity program of the company. If a company utilizes a local network with no connection to the outside internet, redundant and ruggedized servers, UPS and backup power grids would be beneficial solutions to invest in. Despite the use case, investing in well supported equipment is crucial. Equipment, software and services that are regularly supported by the vendor are the best investment. Fortinet’s article on cybersecurity states, “It’s important to keep in mind that your technology portfolio is only as good as the frequent and quality of its updates. Frequent updates from reputable manufactures and developers provide you with the most recent patches, which can mitigate newer attack methods (Fortinet, 2023).”
CONCLUSION
Core to the cybersecurity program is regular training that fits the company. Even with high tech
cybersecurity solutions, if the users are not trained in best practices, the program will fail. Priority in the budget should be placed on an easy to understand, auditable, and continually improving training program. Secondary but not least important is investing in cyber technologies that fit the use case of a company and are supported by frequent updates and patches. Good training and investment in cybersecurity technologies are top priorities in a cybersecurity budget.
Sources:
Cisco. (2023, October 27). What is cybersecurity?. Cisco.
https://www.cisco.com/c/en/us/products/security/what-is-cybersecurity.html#~how-cybersecurity-works
Forbes Magazine. (2023, July 18). Council post: Companywide cybersecurity training: 20 tips to make it “stick.” Forbes. https://www.forbes.com/sites/forbestechcouncil/2023/07/14/companywide-cybersecurity-training-20-tips-to-make-it-stick/?sh=3e61cf729556
Fortinet. (2023, November 12). What is cybersecurity? different types of cybersecurity. Fortinet.
https://www.fortinet.com/resources/cyberglossary/what-is-cybersecurity
Nath, O. (2022, February 9). Top ways organizations can train employees to defend against Cyber Attacks. Spiceworks. https://www.spiceworks.com/it-security/cyber-risk-
management/articles/training-employees-against-cyberattacks/