Budgetary Risk Management in Cybersecurity: What Do I Care About Today?

The problem with maintaining a blog is that sometimes you feel forced to “just post something” to keep your readers coming back. There are times when you haven’t put anything out in a while and every time you log into your dashboard and see the date of your last post, it is like that section of the screen is blinking at you, judging you for your laziness in a way that none of your readers do. This is especially the case when you don’t necessarily have that many regular readers or the ones you have aren’t committed enough to take it to a level quite so personal. After all, we are all simply a pair of eyeballs on the other end of the line. I’ve digressed, but my main point is that the obligation associated with blogs sometimes makes us either write something far from profound or otherwise embarrassing. This is not one of those posts.

image source: stagecraft.co.uk

I have been bouncing an idea around my brain matter for over a month, trying to make some sort of sense of it before cementing it into the form of written word. This post and its associated idea are focused on risk management, especially in a time when budgetary constraints limit the amount of cybersecurity resources in which an organization can commit. I have juggled with quite a few creative names for this concept, but finally settled with Budgetary Risk Management.

You may have read my post about using the Business Impact Analysis to prioritize resources for addressing cybersecurity. After all, there is no point installing the latest Adobe Acrobat Reader patches on a broken laptop that is sitting on a shelf in the basement of your office building, with the sole purpose of “remaining compliant”. The question that I used to explain my train of thought in that post was “What do I actually care about?” I wanted to get the point across that we already use a tool to figure out the most important business processes and assets (or we should) for business continuity and disaster recovery – why not use it to focus our risk mitigation efforts to areas that actually impact the organization?

I won’t tell you where I work, even though a simple search on LinkedIn would likely give that secret away. In any case, I have had my fair share of experience in being part of an organization that focuses on its budget. Certainly I am not the only person in this category, since any successfully organization is run with a business mindset at the top. The problem is that there is such a focus on compliance that we forget about security. We try to fit each and every person, process, file, and system into “buckets” in an effort to make them more manageable. If you’ve worked in this field for long enough, you should know what I am talking about.

Instead of having different buckets for types of assets, data, people, etc., why not associate them with levels of priority, based on mission? I want to expand on my BIA post to something much more real-time. If I am correct, the purpose behind daily or weekly business meetings is to lay out the “big rocks” that are the most important projects or programs for the team, department, or organization at that time. Why can’t we use that prioritization to focus resources for security? If I work cybersecurity for Apple and a new iPad is being released this week, why wouldn’t I put all my people onto protecting the key business processes associated with that effort? In other words, it might be the best idea to ask ourselves: 

“What do I care about TODAY?”

Instead, we have them running vulnerability scans, creating reports, and reading security policy during mandatory awareness courses. I won’t say that those things aren’t important, but budgetary constraints require that we put our money, resources, and people where they actually matter at that moment.

I have tools in mind that would encompass all this, but I might be able to make a buck off this idea someday so I will let that lie.

In any case, what do you guys think? I believe it is our responsibilities as cybersecurity professionals to do the best we can to protect our data, information processes, privacy, people, etc. In order to be successful, we need to make sure we are moving the chess pieces to the area of the board where they are most needed. As always, I want to solicit thoughts on this idea. If you have anything to add, please feel free to use the “comments” section below. The best information protection efforts and the advancement of the cybersecurity field are achieved through collaboration between like-minded people. Thank you for visiting!

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.