BLUF
It is imperative that our company discusses the budget regarding cybersecurity, including human resources, and technological resources.
Intro
Both human behavior and technical controls play essential roles in reducing risk. Which is why it is important to recognize these funds should be allocated to the best of our ability. Furthermore, it is worth noting that having a risk assessment would be the most important subject to tackle first. I would strongly recommend starting with the most common and damaging attack vectors, and the existing vulnerabilities in people, processes, and technology. This will ensure spending is directed where it eliminates the most risk per dollar, and it’s imperative that our budget isn’t something that crosses our boundaries. It is almost important to note that these prices should be in line with compliance and regulatory requirements.
Human Resources
Human error is the cause for a plentiful amount of the errors within the company, and at a critical layer, it’s irresponsible to rely on humans alone. Human error is involved in a majority of breaches. Even when expensive antivirus software or different analysis tools fail, it is usually because of the employees that use them improperly. Which is why it’s important to allocate 35-50% of the budget to human resources. Investments would include role specific training for high risk groups like finance, executive and board training, and developing a security-first culture which would be reinforced through a regular amount of communication and incentives. Training is cost-effective and scales incredibly well. A well-trained workforce reduces the likelihood of a successful malicious attack, and this also lessens the chance of an insider threat, as well as social engineering. Human training isn’t super expensive as it shows to be, having a seminar with employees is even enough for human training.
Technology
Technology is something that should be used to its full potential, even if that means allocating more of the budget toward technology. While employees are certainly a critical layer, technology is what makes them thrive. This makes technology a must, because having a strong technology minimizes opportunities for mistakes and gives security teams the visibility they need. Technology should require 50-65% of the budget, because upgrading security equipment is more expensive than training and providing employees with cybersecurity awareness. The priority investments should be different types of patch and vulnerability management tools, as well as having backup and recovery solutions, and email security filtering. The reason why this matters falls into two simple sentences: Even the best trained employees will make mistakes. A strong technology reduces the blast radius of those mistakes. It’s important to avoid purchasing the “shiny” technologies, that is, don’t spend the budget on super flashy technology.
Conclusion
A balanced budget is essential, you don’t want to dump all of the money into technology and leave your workers with no internet literacy, and you also don’t want to dump all of the money into the human aspect, and leave the workers working with nothing. Allocating funds in a roughly even split creates a stronger, more resilient security posture than investing heavily in one area and neglecting the other.