How can leaders improve their cybersecurity posture when dealing with budget constraints?

1.3k views6 Comments

CIO in Telecommunication, 1,001 - 5,000 employees
Part of the whole cybersecurity strategy is ensuring that you’re a sufficiently difficult target, so any bad actors will look for an easier option. I don't have to be perfect, I just have to be some percentage more difficult to breach than anybody else; then I’m not worth the effort. You can never be perfect. There's always more you could do with security, but you have to balance it against your budget and the other initiatives that you have. You need to make sure you're not the easy target.

I try to take a multitude of perspectives against what I'm doing to see where I might have a weakness. We look at it from a defense in depth perspective: How many layers of protection do we have in place? We look at it from an identity management perspective: How do we know the people that come into our IT systems are the right people, with the right devices, at the expected locations? A resilience perspective could be a third way to look at it: if all that fails, how am I protected in terms of backup/restore for business continuity? Speed is another factor.  How quickly could I detect an issue, or potential issue, and then how quickly could I respond?  

I'm always trying to search for new perspectives as well: What do other industries do? The financial industry is a huge target for a lot of attacks, so who are the biggest targets and what are they doing to protect themselves? What tools are they using? What's their philosophy? I try to put myself in their shoes and see how that impacts my company, my industry, and how I'm doing things. Benchmarking plays into it a bit, but it's more about seeing the approaches taken by my peers and how theirs differ from mine. Could I do something the same or similar?  Could I take that approach and add something more onto it, so I’m ultimately a harder target and not worth the effort?

I think the answer is to focus on the basics first, things that should already be in the budget —  system patching and maintenance, backups, encrypting your data, multi-factor authentication for remote and administrative access to systems, and security training and communication with the business to keep the risk top of mind. Then build out your security program from there.
CISO in Software, 201 - 500 employees
There is always a price to pay for Security. The price is either monetary or in terms of time , effort, and process overhead. The question is, what can you afford? For the most part, significant savings in cost can be achieved by
1. tool rationalization or ensuring that you are getting the maximum from any tool/technology that you are already using by leveraging all features that it has to offer. There have been circumstances where we have leveraged L3 switches and Routers with the right configurations as basic firewalls. 
2.  Implement stringent processes - a lot of tools are focused on automation and workflows for activities that can be completed with discipline and process rigor (e.g. privilege management can be significantly covered with stringent authorization and approval processes, following the principle of least privilege by design, and regular access reconciliations) to make this scalable we move to the next point
3. tying in accountability of security with critical stakeholders. This helps you scale any manual processes you might have given that the organization is committed to the security program and the only challenge is the budget. Accountability reviews can be covered by periodic audits. 
4. Qualitative Risk mgmt and Compliance management as an example can be done manually as long there is a structure and defined framework. 

At the end of the day, let us face it, convenience and speed cost money! Quality can be achieved with some rigor in processes. The program leader needs to verify which luxury the company accord to the security program.
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
Although you do need to invest in tools and controls to fortify your posture, I would argue a great deal of tools purchased are to mask gaps in end user empowerment and engagement in your posture, as well as gaps in process/policies. You don't need a great deal of monetary investment to shore up these two critical areas.
Director, Security Operations in Telecommunication, 501 - 1,000 employees
Even with limited budget, there's much that can be done - start by focusing on the basic blocking and tackling, such as understanding the environment/asset inventory, keeping up with vulnerabilities and patching (this should include some form of scanning, of which there are several tools available at low/no cost), ensuring that you have solid policies in place with a focus on credential protection and system backup and restore.
Director of Information Security in Energy and Utilities, 1,001 - 5,000 employees
Others already provided you with some strategies and approaches to your question.  Before you spend a dollar of your budget or a minute of your staff in the name of security, I would ask these three questions:

1) What is the risk?
2) Is it the biggest risk?
3) Is it the most effective way to address that risk?

CISO in Software, 10,001+ employees
It is often tempting to only use COTS and commercially licensed solutions when the need and available solutions from a sales perspective are clear.  However, there are many and numerous open source solutions and alternatives that can be considered at significantly lower cost.  They may not be the best in class. but they may be adequate to the primary needs.

Content you might like


No, but we have slowed hiring for non-essential roles.44%

No, we are hiring at a normal rate.29%

Other (tell us in the comments)2%




We're working on it45%

No, we use a purchased solution for this4%



986 views1 Upvote3 Comments

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
39.2k views130 Upvotes318 Comments