{"id":295,"date":"2025-11-09T17:47:42","date_gmt":"2025-11-09T17:47:42","guid":{"rendered":"https:\/\/sites.wp.odu.edu\/justinbarfield\/?p=295"},"modified":"2025-11-09T17:47:42","modified_gmt":"2025-11-09T17:47:42","slug":"ciso-writeup","status":"publish","type":"post","link":"https:\/\/sites.wp.odu.edu\/justinbarfield\/2025\/11\/09\/ciso-writeup\/","title":{"rendered":"CISO Writeup"},"content":{"rendered":"\n
\n

Justin Barfield-Smith<\/p>\n\n\n\n

Chief Information Security Officer<\/p>\n\n\n\n

Ctrl Alt Defend<\/p>\n<\/div>\n\n\n\n

Bottom Line Up Front: Given a constrained budget, it seems the most effective cybersecurity strategy is a balanced investment: approximately 60% in human-factor training and awareness initiatives, and 40% in targeted technological controls. This allocation recognizes that human error remains the predominant contributor to cyber incidents, yet effective technology remains essential to contain threats that human awareness alone cannot prevent.<\/p>\n\n\n\n

Introduction<\/strong><\/p>\n\n\n\n

In today\u2019s cyber threat environment, the human element plays a pivotal role in both incident causation and prevention. As CISO, I must determine how best to allocate finite resources between training the workforce and deploying cybersecurity technologies. Given research showing that employee behavior often triggers attacks (e.g., through phishing, credential misuse, inadvertent disclosures), organizations must invest in both human and technical defenses. Yet budget constraints demand prioritization and a strategy that maximizes risk reduction per dollar spent.<\/p>\n\n\n\n

Understanding the Human Factor in Cybersecurity<\/strong><\/p>\n\n\n\n

Human behavior remains a primary attack vector. Studies show that many breaches begin with an employee\u2019s mistake: clicking a malicious link, using weak credentials or passwords, or misconfiguring a device (Threatscape.com). For example, cognitive biases (such as overconfidence or urgency in decision-making) are exploited by adversaries to bypass technological controls (PMC). Further, training programs that are generic or compliance-driven often fail to translate into behavioral change: \u201cone size fits all\u201d awareness efforts do not sufficiently tailor to the roles and risk profiles of staff (Threatscape.com). Therefore, human risk must be addressed deliberately and systematically.<\/p>\n\n\n\n

Technology\u2019s Role and Its Limitations<\/strong><\/p>\n\n\n\n

On the technological side, tools such as phishing simulators, security information and event management (SIEM), endpoint detection & response (EDR), multi-factor authentication (MFA), and network segmentation are vital. These controls help reduce the \u201cattack surface,\u201d detect anomalies, and limit the fallout from successful attacks. But technology alone is not a panacea. Because adversaries increasingly exploit human rather than purely technical vulnerabilities, technology without human awareness can leave gaps (200T Mod 06). Moreover, expensive tools with low adoption or poor alignment to organizational context may deliver diminishing returns. Therefore, technology must be selected carefully and integrated with human processes.<\/p>\n\n\n\n

Proposed Budget Allocation Strategy<\/strong><\/p>\n\n\n\n