Cyber Security on a Budget

As the Chief Information Security Officer my job is to keep all of our systems and data safe
from threats. There are two things that I think are most important in a company. First is the
technology and, second, the training. I would start by looking at the risks of the company
and see what is the riskiest issue. If there are a lot of employees that use weak passwords
or even the fact that the company uses technology to store high-risk data, if that
information got out, it could be a problem. Since I have limited funds, I would choose to
spend it equally on technology and training. I personally would choose to invest in antivirus
software, firewalls, and multi-factor authentication programs. This would make it harder to
steal the information and multi-factor authentication would help in the case that a
password gets stolen because the hacker can’t access it without the second method. This
means unless they had the device or something that contained the MFA method, they
wouldn’t be able to get into everything.
When it comes to training, I would place money into training the employees to help lessen
the likelihood they fall for common scams. By doing this the employees could know what
suspicious emails or links could look like. They could see how a lot of time links could be
slightly misspelled or that if the email seems too good to be true it’s probably a scam, an
example would be a brand new macbook costing $200 instead of $700 or more; that’s
unrealistic and would almost be guaranteed a scam. Another thing would be if they
received an email that they didn’t expect and was completely random, then it’s not likely it
would be legit. Even the most extensive technology cannot prevent every single attack,
which is unfortunate. Having trained employees will lessen the risks but even then, it won’t
fully stop them. Since I don’t have a large budget, I would prioritize the higher risk
employee areas. So, someone in finance would handle a lot of clients’ personal
information and they would need more training because that information can cause a big
problem if it’s stolen. While nobody’s information needs to be accessed without correct
authorization, if any information had to get stolen, it should be the less important stuff that
won’t ruin someone’s life. (Khadka, Kalam, and Abu Barkat Ullah. “Human Factors in
Cybersecurity: An Interdisciplinary Review and Framework Proposal – International Journal
of Information Security.” SpringerLink, Springer Berlin Heidelberg, 29 Apr. 2025,
link.springer.com/article/10.1007/s10207-025-01032-0.)
In conclusion, as a CISO with very limited funds, I would balance how I spend my money. I
would invest in strong security tools and employee training to both protect the computer
system and reduce the risk of errors. I would make sure to use cost-effective methods and
also measure the results to make sure that my methods are working. Cybersecurity has
two components, the technology and the person who uses it. This way I can get the best
protection possible with the money that I have and keep the company away from
cyberthreats.