All security budgets have limits. CSOs and other security practitioners have to continually make difficult decisions on how much risk is acceptable, which risks to mitigate, and which to accept.
Jayson O’Reilly, director of sales and innovation at DRS, says because companies can only afford to spend so much on security, they need to figure out how best to keep their risk to an acceptable level, and how to spend the budget sensibly. “In order to make the correct choices and present them to the executive team, you need to have a really solid understanding of the impact of a breach, the risks involved and of course a good knowledge of what products, tools and services are available.”
He says the first step is measuring the impact. “This is why security and business need to work closely together. If you cannot measure risk in a way that is closely aligned with the business, then the way you handle risks will not be aligned either. It is vital to understand what impact these risks might have on the business, and how to invest in security around these risks and potential impacts. In order to fully understand the impact, it is important to know which assets will be affected by the risk should it be realised, how extensively the assets will be affected and what the true business value of the impacted assets actually is. Remember, these assets will be made up of both information assets, and infrastructure assets, and both must be factored in.”
Should the worst come to the worst, the true impact to the business will be a mixture of the cost of exposure as well as any lost revenue while remedies and fixes are applied, including lost revenue should a particular asset be rendered unavailable for a time. Remember, says O’Reilly, that value, risk and cost must be worked out in terms of actual money, as this will help align security initiatives to the business objectives.
He says the next step is working out what the cost of risks to the the most crucial business assets is, ones that affect productivity and the bottom line most severely. “Take a look at the specific controls that your company has implemented to help lessen the effects of the risk, in comparison to the controls that you’ve decided you need to mitigate them. Create a ratio of existing controls and those you have determined are still needed. These need to specific controls that address specific risks, not a ‘mud against the wall’ approach to all security measures.”
He says once you have formalised what risks cost in actual money terms, prioritising where security budgets need to be focussed becomes far easier. “Risks can be prioritised according to the highest monetary value, or highest impact. Ultimately, you need to make the most of what you’ve got. If your budget isn’t going to cover everything, you need to make sure the essentials are prioritised and the most important risks covered.”
O’Reilly says that no company can hope to protect against each and every risk. “Pursuing all threats will be impossible, and could even leave your organisation vulnerable to potentially catastrophic breaches. You need to protect your most valuable information, and as far as possible, prevent attackers from coming in. Don’t ignore the less impactful risks, but prioritising will help you make the most of the budget you have.”