Assignment Description: “During this week’s reading, you’ve been exposed to different points of view regarding human contribution to cyber threats. Now, put on your Chief Information Security Officer hat. Realizing that you have a limited budget (the amount is unimportant), how would you balance the tradeoff of training and additional cybersecurity technology? That is, how would you allocate your limited funds? Explain your reasoning.”

Budget Proposal for Training and Technology Funding

Introduction:

The best way to allocate cybersecurity funding is to heavily favor investing in training over purchasing and installing new cybersecurity technology. While it is important to maintain some budget for the installation and maintenance of new and existing equipment, at least 70% of the budget should be to improve training of employees and improve the human firewall. Prioritizing training in every sector of the organization is the best option because it will prevent a large amount of cybersecurity breaches and all breaches eventually depend on human action anyways. 

Human Risks:

To first understand why training needs to be prioritized over new technologies, the risks and causes of cybersecurity breaches need to be discussed first. One of the most common causes of these incidents is human factors in the first place. As the Harvard Business Review journal discusses, employees cause “50% of incidents where private or sensitive information was unintentionally exposed (Disparte & Furlow, 2017)”. The causes for these can be intentional insider attacks but also include “mistakes by employees, such as falling for a phishing scam (Disparte & Furlow, 2017)” or incorrect maintenance and oversight of cybersecurity technologies and procedures that would have otherwise protected the company. Additionally, whether caused by employees or not,  every successful breadth past company defenses will eventually depend on employees being trained and prepared to detect the breach and solve it.

How to Train:

Since employees are a large cause of cybersecurity incidents and will always be involved in breaches of every type, it is important to heavily invest in widespread training for the whole company. The Harvard Business Review Journal discusses the importance of what they define as a company with “risk agility,” where “all employees should not only understand what is expected of them regarding company policy and online behavior but also be trained to recognize nefarious or suspicious activity. (Disparte & Furlow, 2017)”. Human error can cause a cyber incident in any sector or level of the organization, and thus, every single employee needs to be trained to detect scams and potential problems before they can harm the company. This is where the need to invest in cybersecurity training demands budget attention. This level of training requires testing to ensure its effectiveness, from sending out fake phishing emails to employees to see if they click it to company surveys and questionnaires. The training methods of the company should constantly be under review and edited to find the most effective and easy methods possible to train all employees. 

Conclusion:

The Cybersecurity budget moving forwards should prioritize spending money on training employees over purchasing new technologies. Between the high statistical amount of incidents caused by human error or intent and the amount of work needed by humans to solve incidents, there is a clear necessity for the best training possible. Additionally, the best way to make the training an effective process is to enforce it company wide and constantly review the training process. Focusing on training employees on current procedures and technologies will make for a more effective and safe workforce than if they had inferior training and had to constantly learn new and expensive technologies. 

References

Disparte, D., & Furlow, C. (2017, May 16). The Best Cybersecurity Investment You Can Make Is Better Training. Harvard Business Review. Retrieved November 17, 2024, from https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training