How to Budget CyberSecurity

Posted by ktoma005 on

BLUF
The scenario that was given is that we are the CISO of a company and we must budget for training and the technology for cyber security. The first thoughts that popped into my head were: what type of training would we do, how often would we do the training, what type of technology is needed to monitor the network and how much money should be devoted to training out new and out of the box types of cyber security technology. We will go through how training needs to be conducted in a company, and what type of technology is needed in cyber security.

Training
The most important thing in cyber security is educating the end users on how to not be an insider threat towards their own organization. Most businesses that have a cyber security attack or violation are committed by an insider and mostly it is not on purpose but it is still a major problem that it is caused by the employee. All employees must be trained in cyber security, including the people in the executive suite, when the higher ups are shown practicing what they preach all the rest of the employees will follow. Official training should be held at least once a year for all employees. The process of training and developing a cybersecurity policy is a long and slow treading path, regular reviews and audits must be conducted, all business teams need to be included such as finance and human resources, there needs to be enough people on the cyber team to enforce the rules and policies that they put into place. The most amount of money should be spent on training and informing employees of the type of cyber threats and how to prevent them.

Technology

The cyber security technology that can be put into place for protection is two factor authentication and Network Intrusion prevention system which is a better option that IDS because that one only alerts that something is wrong while IPS actively tries to fix it. The money that is allocated to this should be the most second spent thing on. Both of these things are very needed if there are remote workers or employees traveling to foreign countries on business.

Conclusion
More money should be spent on training the employees of the organization, the computer know to hash the passwords, the computer know that things need to be encrypted and then decrypted, but if the end user is willing to give out the information to anyone that has an email that kind of looks like CEOs that on lack of training. Training will cause the policies that are put in place to become normal and second nature to the employees.

Leave a Reply

Your email address will not be published. Required fields are marked *