Sunday, March 12, 2023

How To Fine Tune Your Cyber Budget In These Uncertain Times

 


As many of you know, the Silicon Valley Bank in California essentially shut down on Friday, due to its insolvency.  Now the FDIC is taking over so that insured deposits can be paid out in a timely manner, which will hopefully stop the rush to the banks in panic withdrawals. 

The exact reason for the bank’s demise is still being filtered through, but a lot of people are blaming the bank’s heavy investments into the tech and crypto based sectors.

It will make the headlines for sure all of next week.  So, the second largest bank failure in American history should raise a red flag to a lot of the people in the C-Suite, especially the CISO, or the vCISO, who ever is in charge. With the economic headwinds and geopolitical situations will uncertain, the CISO has to keep a close eye on their Cyber budgets and plan for the future.

Although nobody can predict the future with any degree of accuracy, here are some key events to keep in mind to make sure that your budget stays as flexible as possible:

1)     The Russian invasion of the Ukraine:

While this happened over a year ago, the conflict still remains, and is getting more entrenched.  At the beginning of the war, there was a lot of fear that there would be major Ransomware attacks here in the United States, especially onto our Critical Infrastructure. Luckily nothing has happened yet, but as the war drags on, anything is possible.  So this is a huge variable that has to be factored into your budget.

2)     Uncertainty of the United States markets:

There is no doubt that inflation is on the mind of every American today.  Heck, even I went grocery shopping today, and could not believe how much the costs of basic food items have risen.  But not only this, but the fear of inflation has greatly spooked the financial markets, and this was best exemplified just last week.  With these roller coaster ups and downs, companies are fearful to spend or deploy any cash into budgets, and that even includes hiring people.  Again, this is evident in the layoffs the tech sector has been seeing since the beginning of this year.  While layoffs are never any good for anybody, it is still important to keep in mind that when compared to the 2008 recession, the number of people losing jobs is not nearly as much.  Also, the job numbers still look very strong here in the US, based upon last Friday’s report.  But in the end, nobody knows what the Fed will do in terms of raising rates so this is something that you will have to keep a close eye on as well.

3)     The Data Privacy landscape:

When the COVID-19 pandemic was in its climax, data privacy regulators backed off from conducting audits and imposing any kind of financial penalties.  But now that the pandemic is more or less behind us, this is going to ramp up again to even greater degrees, as companies make even greater strides to move to the Cloud.  So, money will have to be spent in making sure that all of your controls are in place and are totally optimized.  To many CISOs this might seem like a sheer waste of time and money, but some spent now will help you avoid that audit and paying 10x more in financial penalties.

4)     Security training:

This is a component of your Cyber budget that you cannot let go.  Employees will need to be trained on a regular basis, and of course this is going to cost some money.  As a CISO, be on the look out for developing more effective means of training.  You can always outsource this particular function to a reputable Cyber vendor that specializes in this.  This can help you save some money in the end.

5)     Investments in new security technology:

This is an area in which, as a CISO, you need to have second thoughts on.  For example, I have written a lot in the past that it is always better to do with less than with more.  There are two reasons for this:  a) With more technologies in place, it will only expand the attack surface for the Cyberattacker, and b) Having more tools will simply mean that your IT Security team will more log files to filter through, which further lead to a phenomenon known as “Alert Fatigue”.  My thinking here is that if you can conduct a Risk Assessment, and from there take stock of you have, you can possibly rearrange things so that you create a more efficient and effective means of beefing up your lines of defenses.  The bottom line is this:  You are far better off with deploying three firewalls than ten firewalls, as long as they are strategically placed.

My Thoughts On This:

In my view, the uncertainty of inflation and the geopolitical situations will remain with us for a long time to come.  Therefore, it is important for you, the CISO to plan properly and accordingly.  But remember that you do not have to be alone in this process.  If possible, try to get an advisory board to work with you and to provide a second opinion.

One of the primary benefits of this is that if you need an infusion into your Cyber budget, you will have a group of well-seasoned executives to back you up not only in front of your CEO, but the Board of Directors as well.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...