CISO Fund Limits

Posted by jreye021 on

10 November 2024 – Jonathan F. M. Reyes

            With a limited budget, I would prioritize basic cybersecurity training for all personnel. Fewer roles with more experience result in paying for less training. So, I would hire personnel with a background in cybersecurity and consolidate cyber related positions and responsibilities to reduce the total costs for advanced cybersecurity training. The remainder of the funds would be used to maintain easy-to-use software and allocated based on a risk assessment of the company’s most critical technology.   

CISO Fund Limits

            According to a report from Steve Zurier on DARK READING, a cybersecurity news site, he states “a new report from PhishMe that found that 91% of cyberattacks start with a phish” (2016). Simple and evadible cyberattacks are prevented by having all personnel aware of cyber threats through basic cybersecurity training. The Federal Trade Commission recommends “train all staff … update employees as you find out about new risks and vulnerabilities” (Federal Trade Commission n.d.) in reference to cybersecurity basics for businesses.

            As a CISO, I would take part in the hiring process for anyone applying to the cyber technology part of the company to ensure the company hires personnel with a background in cybersecurity. Roles such as information technology (IT) can be combined with cybersecurity roles in the company to reduce money spent on training.

            Having accessible, user-friendly software for cybersecurity will reduce mistakes and misunderstandings of threats, improving recovery time if the company detects a cyberattack. The software used should be focused on protecting the critical parts of the company. Risk Management Framework for Information Systems and Organizations states, “Risk management is a holistic activity that affects every aspect of the organization” (Ross, 2018, p. 25). This means that all parts of the company pose some risk, small or big. The important part would be to ensure funds are spent on protecting level one and two activities, those that affect the organization and business process assets that, if threatened, could be critical.    

            My plan as a CISO is based on protecting a basic small business. For a larger company with a bigger budget, it would be better to keep IT and cybersecurity as two separate roles, especially if the company is a cyber, technology, or data-based company. Companies big and small are having to rely increasingly on IoT devices and technology, so having your employees trained in basic cybersecurity and maintaining software for non-cyber-based companies helps simplify allocating a cybersecurity budget.

Reference

Federal Trade Commission (n.d.). Cybersecurity Basics. Ftc.gov. https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/basics#:~:text=Train%20all%20staff,their%20access%20to%20the%20network.

Ross, R. (2018). Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy (2nd ed., p. 25). NIST Special Publication 800-37. https://doi.org/10.6028/NIST.SP.800-37r2

Zurier , S. (2016, December 13). 91% Of Cyberattacks Start With A Phishing Email. Darkreading.com. https://www.darkreading.com/endpoint-security/91-of-cyberattacks-start-with-a-phishing-email

Leave a Reply

Your email address will not be published. Required fields are marked *