Blog > Best Practices 6 Steps to Make Every Dollar Spent on Your Cybersecurity Program Count

Friday, May 21, 2021

BY: J.R Cunningham - Chief Security Officer

“No organization has the security budget to be good at everything. A security program should show you where to spend and why, and track your security maturity and compliance in real time.”

-Team Nuspire

 

  1. Facing the Facts 
  2. Persistent Challenges 
  3. What You Need  
  4. Industry Matters 
  5. Modernizing Security Programs  
  6. Outcomes 

 


1 – Facing the Facts 

Security programs are stuck in the past. Aging frameworks like NIST, HIPAA, FISMA and PCI provide boxes to check, but compliance doesn’t equal security. No organization can be good at hundreds of “things to do” or afford to do all of them.  

In addition, resources are scarce and budgets are limited (and scary stories no longer work to get more money). What works for one industry doesn’t work for another – consider the extremely different needs of manufacturers and healthcare organizations. 

No matter how much an organization spends on security, it seems like the bad actors are one step ahead. Ask five vendors what to do, and you’ll likely get five different answers. Many organizations continue buying technology in hopes of increasing protection. Showing return on investment, however, is nearly impossible.

A sobering fact? 
A security program doesn’t exist that makes you more secure, takes into account your current defenses, identifies the threats most likely to attack your industry, and respects your budget. Until now. 

 

2 – Persistent Challenges 

The old approach to security programs isn’t working. We continue to hear familiar concerns and requirements:  

  • I need help prioritizing security investments. 
  • Traditional assessments don’t work for us. 
  • I don’t want a checklist of 200+ things to do. 
  • I have to justify security projects to executives and the board. 
  • I don’t have a way to track maturity progress easily. 
  • I’d like to know what my industry peers are doing in this area. 
  • I’d like to talk to someone who has “been there, done that.” 
  • I want to be compliant and secure. 
  • I need visibility of my entire security program. 

 

How does the old approach hold organizations back and limit security outcomes?  

    1 – Prescriptive frameworks  

    Every item seems to be equally important as you work your way through a list – No. 1, No. 2, No. 3 and so on – with no clear links to improving security. 

    2 – More is better  

    The notion of strengthening security “everywhere” to achieve high maturity in many or all areas – check, please! – is compelling but not realistic or necessary.  

    3 – Lack of clarity regarding new attack surfaces 

    Old frameworks don’t speak well, or at all, to cloud, mobile and digital transformation. No wonder spending decisions are difficult.  

    4 – Insufficient knowledge 

    Decision-makers are on a slippery slope without coordinated insights into security maturity, industry-relevant threats, and current defenses. 

    5 – Inadequate visibility 

    Technology overload compounds complexity and strains resources. There’s no way to pull it all together in one place, so you have to piece information together manually. 

    6 – Lack of trustworthy, reliable advice 

    Changing business conditions and industry nuances call for more than static assessments, generic recommendations or vendor lock-in.  

 

3 – What You Need 

The right vision can jumpstart a journey from old to new thinking about security programs. Start with what you need. 

Need to Know  Need to Learn  Need to Show  Need to Go 
To spend security dollars most effectively  About the adversaries active in your industry  To justify future security initiatives  To strategic incremental improvements 
  • Gaps and overlaps in your current security program. 
  • Which specific areas of your program need to be strengthened to protect critical data. 
  • The biggest threat to your industry and what tactics being used. 
  • Which threat actors. 
  • Which tactics, techniques and procedures (TTPs). 
  • Industry trends and emerging relevant threats. 
  • A blueprint for maturing your cybersecurity program. 
  • A way to demonstrate and document performance over time. 
  • Industry-specific threat intelligence to prioritize spending and level of effort. 
  • Recognize that legacy frameworks and tools are limiting. 
  • Become threat aware, risk-centric and adaptable. 
  • Control your destiny – know where you are and where you want to go. 

 

4 – Industry Matters 

An industry-specific focus identifies high-priority security requirements, relieving the pressure and cost of “secure everything” thinking. When industry factors play a strong role in your program, you can speed up your maturity journey. 

 

  Key Threats  Key Security Control Examples  Recommendation Examples 
Healthcare  Ransomware, personal health information (PHI) compromise.  Network segmentation, bio-medical device security, vulnerability scanning  Data governance policy, PHI encryption, network access control policy 
Retail/Hospitality   Ransomware, credit card breach  Endpoint (point of sale) security, tokenization, encryption, dark web monitoring  CDE encryption standards, vulnerability management policy and exception tracking worksheet, OWASP standards for developers 
Manufacturing        Loss of intellectual property, factory floor availability  Industrial control systems security, behavioral analytics for robotic devices, third-party identity management  Contractor and third-party access policy, ICS/IoT scanning/passive discovery architecture, change control standards 
Financial Services  Website spoofing, phishing  Cloud security posture management, SIEM, behavioral analytics, vulnerability management  Onboarding/offboarding identity policy, cloud security configuration standards, cyber risk register templates 

 

5 – Modernizing Security Programs  

The new way of thinking about security programs hinges on organization-wide visibility and control and real-time information. Modern programs reflect all of the “what you need” points and incorporate industry-standard, well-known controls. Imagine being able to measure maturity on a scale of 1 to 5 and understand clearly which areas need to be a 4 or 5 and which, at 2 or 3, pose an acceptable risk. This is a progressive, sensible way to make decisions.  

What makes a modern security program better and different? 

  • Program creation. Facilitates the design and build of customized security programs step by step with specific, actionable recommendations. 
  • Access. Enables you to view and manage your entire security program through a single pane of glass. 
  • Basics first. Highlights which controls are essential to satisfy your compliance and security objectives and which can be next level.  
  • Technology agnostic. Filters out technology noise by identifying what you don’t need anymore and what you need to fill gaps.
  • Adaptability. Absorbs new controls and maps them to new or changing organizational and industry standards.  
  • Flexibility. Gives you the ability to dial up or dial down controls in particular areas. 
  • ROI based. Allows you to make the best use of money, time, and people considering program gaps, industry requirements, risk profile, and goals. 

6 – Outcomes 

Change can be hard, whether it affects habits, thinking or behavior. We also know that security programs can’t go on as they are. To recap, these are the benefits of letting go of the past. 

  • Improve Security Spend
    Invest dollars where they matter most based on industry-specific factors, technology need, and level of effort.
  • Avoid Security Pitfalls
    Know which projects to avoid because they are expensive and destined to fail in certain environments.
  • Prove Security Maturity
    Track and show maturity progress over time – against well-known industry standards – to help justify security spending.
  • Maintain Visibility
    Unify, integrate and automate your security program in a single dashboard.
  • Lower Risk Exposure
    Take advantage of threat modeling to look at systems differently, home in on high-priority threats, and fortify defenses to protect your most valuable assets.
  • Keep Up
    Adapt quickly to new business initiatives, industry trends, and the changing cyber scape. 

 

Are you ready to make every cybersecurity dollar count? Start with your security program. LEARN MORE