A Chief Information Security Officer (CISO) with a limited could balance the tradeoff of training and additional cybersecurity technology by allocating at least 75% of a budget on employee training and education. The human factor is one of the biggest threats to cybersecurity. Issues such as insider attacks, password attacks, and phishing attacks can come from internal behaviors. To mitigate these threats to an organizations network and business with a limited budget, the CISO should prioritize addressing the greatest threat, which is people. To protect any data, the CISO should spend the majority of the budget developing training and processes to enhance employee awareness while looking to purchase additional cost effective cybersecurity technology with the rest of the funds. 

Training and Education

A CISO should allocate the majority of the budget on training and education to reduce the human factor in cybersecurity to improve human behavior and actions. This direction is supported by data from the Verizon Data Breach Investigations Report (2023) that showed more than 74% of cybersecurity issues involved a human factor (Amoresano & Yankson, 2023). These attacks were not only external, but internal as well. They included phishing, malware, and password attacks.

No matter how costly or secure an organization believes their network system and security is thought to be, it is only as secure as the employees using it. Knowing organizational cybersecurity breaches could occur as a result of mistakes or using weak passwords, it only makes sense for a CISO to focus their attention on employees as they are the weakest part of cybersecurity defenses. This weakness can be strengthened by educating employees about best practices for cybersecurity, they can be better equipped to recognize and avoid potential threats (Raina MacIntyre, 2018). A plan for ongoing education and training for employees is an effective strategy to improve cybersecurity.

Following NIST Framework could strengthen an organization’s cybersecurity program because it comes with a requirement for more employee governance and clearer policies to help with human factors like social engineering, poor passwords, and misuse or access issues. Investing in cybersecurity training that educates on recognizing phishing, protecting credentials, and following secure data handling policies reduces the chance for successful cyberattacks. Research supports this direction by a CISO. Tambe-Jagtap (2023) determined through research in that phishing error rates dropped from 15-20% to 5-10%, and password misuse dropped from 30-40% to 10-15%. Additionally, system incident response time dropped from 48-72 hours to 24-36 hours, while increasing user engagement in safety actions.

Cybersecurity Technology

The CISO should not ignore cybersecurity technology. The kinds of cyber threats used to attack organizations are constantly changing as technology improves. With the remaining budget, the CISO should look for affordable technology that works with the human factor focus. Things like firewalls and monitoring systems can help with the detection of malware and advanced persistent threats.

Conclusion

In conclusion, as cyber threats grow increasingly complex, Chief Information Security Officers face the ongoing challenge of balancing limited budget tradeoffs between training to reduce the human factor and technologies focused on cybersecurity. Since most cyber threats are caused by human factors, a CISO should allocate at least 75% of their budget to training people and spend the rest on technology. This would give the organization a balanced approach to cybersecurity while focusing on the biggest opportunity to reduce cyber attacks. The decision to provide employee education and training is supported by data.

References

Amoresano, K., & Yankson, B. (2023). Human error-a critical contributing factor to the rise in data breaches: a case study of higher education. Holistica Journal of Business and Public Administration, 14(1), 110-132.

Raina MacIntyre, C., Engells, T. E., Scotch, M., Heslop, D. J., Gumel, A. B., Poste, G., … & Broom, A. (2018). Converging and emerging threats to health security. Environment Systems and Decisions, 38, 198-207.

Tambe-Jagtap, S. N. (2023). Human-Centric Cybersecurity: Understanding and Mitigating the Role of Human Error in Cyber Incidents. SHIFRA, 2023, 53-59.