Reuven Aronashvili is the founder and CEO of CYE.
getty
As 2022 begins, many companies are making a fresh start with a new budget, including for cybersecurity. But with the growing number of cyberattacks and their increasingly complex nature, especially when it comes to supply chain attacks and ransomware, even those companies whose cybersecurity budgets have gone up for 2022 need to maximize their given budget to ensure it lasts all year and improves their security.
It is important to remember that the ultimate goal is not to simply buy more tools to chase the growing number of vulnerabilities that experts find every day, but that cybersecurity should focus on protecting the assets – and limiting the fallout of attacks – that are most relevant to overall vital business operations. There will always be some risk; here is how to best manage that and stay within a budget.
Take a comprehensive view.
Effective cybersecurity relies on a combination of human talent, work processes and the right tools. When companies spend the money approved for a certain cybersecurity project, they should make sure to consider all three of these aspects. If the team lacks the proper skills to use or manage new technology tools to uncover vulnerabilities or prevent attacks, the investment in those new tools will not pay off, meaning they are not an effective or worthwhile use of any budget. At the same time, hiring new people for a cybersecurity team should only be done after taking stock of how they will affect both the process of securing assets and the use of any technological tools.
Considering talent, processes and tools simultaneously when spending allocated budget money on each project will also allow for organic growth of an organization's cybersecurity department and its effectiveness. Such steady growth and improvement in performance will likely lead to higher cybersecurity budget allocations in the future, which will be essential to keeping up with new threats and types of attacks.
Think from an attacker’s perspective.
In order to use their budgets as best as possible, companies need to understand what inside their networks and data is most attractive and vulnerable to attackers. They need to understand, for example, if hackers are likely to take advantage of their companies’ digital connections to customers or suppliers, who are ultimately higher-value targets, in what are known as supply-chain attacks, like the far-reaching hack involving SolarWinds in 2020. Or, maybe a company’s ownership of sensitive or valuable consumer data makes them susceptible to ransomware attacks, which have also been rising sharply.
In addition, companies need to evaluate what kind of attackers are likely to target them. They need to ask themselves if their digital assets or connections are more vulnerable to state-backed actors, criminal actors seeking ransom money or those with domestic political motivations. A full understanding of what assets are most appealing – and to what types of attackers – will allow a company to use its budget to protect certain types of assets and certain avenues of attack and will allow them to hire a team with the appropriate experience. For example, if a company concludes it is indeed attractive to state-level actors, it should make sure that money earmarked for new cybersecurity hires is spent on professionals with a background in military or government organizations, because this will mean they better understand the threats and attack modes of state-level actors. Understanding what is likely to motivate attackers will allow companies to maximize their approved budgets to protect the most relevant assets, rather than throwing money at general cybersecurity.
Consider the importance of an adaptable team and resources.
Because cyber threats are always changing, cybersecurity professionals need to have an adaptive mindset and be ready to change their methods, tactics and tools of operation. This means that departments should reevaluate each quarter how they are spending their budget.
This reevaluation should not just revolve around threats, but also how they affect the material nature of the business. Obviously, a business should prioritize protecting its most valuable assets and address threats related to those. As threats evolve, companies need to ask themselves not what new tools they need to buy, but what part of their business is most susceptible to new threats and how they can shift resources from one area to another.
Research firm Gartner Inc. estimates that cybersecurity spending in 2021 totaled about $150 billion, up more than 12% from 2020. Spending in 2022 is likely to continue to grow rapidly, as the number of threats, as well as cybersecurity solutions and their costs, increase. There is no doubt that new technological solutions, especially those incorporating AI and machine learning, are an important part of the picture. But without looking at the big picture, including a business’ assets, how a cybersecurity team’s talent complements various cybersecurity technology and solutions and which types of attackers would likely target them, companies can easily fall into the trap of spending all their allocated money and still not actually improving their security.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
