How to decide What to Spend on
On average, organizations tend to spend 5 To 6% of their overall IT budget on cybersecurity. According to Gartner, the global enterprise security spending is forecasted to grow by 8 percent to a total of $96.3 billion in 2018
A good starting point is to analyze:
- What are you trying to protect?
- Why you are trying to protect it?
- What is your current cybersecurity posture?
- What to investment on that will help achieve your Goals & Objectives?
- How are you going to measure the effectiveness of your security strategy?
Answering the questions will help you find out which security investments you absolutely need to make, which ones you don’t, and help you clarify what you want to focus on going forward. In response to the increasing number of cyberthreats, organizations are spending more money on security initiatives than ever before
The Challenge
Now the challenge is, you have made the investment and spend hundreds of millions of dollars on state-of-the-art technology. But is your workforce ready to implement the solution
Shockingly enough, this is where most of the organizations fail.
Spending millions on security technology can certainly make an executive feel safer. But the major sources of cyber threats aren’t technological. They’re due to human error and malicious activity. This form of human threat is live and resides in every organization and it is equally as lethal as a cyber intrusion.
So in order to solve your cyber threat problem, you not only have to purchase technology, but also invest in cyber workforce readiness of your employees, who are really your first and last line of defense. Shockingly enough, the leadership of one out of every three organization demonstrates lethargic leadership which amplifies the consequences of security breaches. As I had mentioned in my previous session, Yahoo’s breach of 2016 and fumbling response cost its shareholders $350M.
Therefore, organizations need to balance their investment in technology with investment in training their people on the technology to prevent cyber-attacks. This will enable your employees to be agile and prevent threats or react quickly to cyber treats. In my opinion, a skeptical CTO/CIO /CISO leader should push back on a cyber security strategy that does not have a cyber readiness plan that can make employees risk-agile to be the first line of cyber defense.
I say that because cyber security training on technology is under-capitalized, and the investment in quality cyber security technical skills and end user skills training is an afterthought, ignored or poorly funded which manifests itself into cyber breaches which is deeply rooted in human error and failure.
Let’s quickly examine one case, pertaining to cybersecurity readiness:
Case Study A
Customer Profile: Banking and Financial Services
Product: Cisco ISE, CISCO AMP for Endpoints, and CISCO Umbrella
Investment: 1 million+
Goals:
- Reduce cyber-attacks and cyber-attack impact
- Deploy stringent security policies
- Achieve complete visibility and control of network
- Increase efficiency by automation
Results:
- Network fully secure - control over employee, guest, and temporary access.
- Reduced time to resolve issues
- Real time control of all user access
- Increased credibility and confidence with customers
- Personalize the learning experience
- Enable people to share their learning experience
- Enable people to learn through multi-modality
- Provide mentoring
- Provide virtual instructor-led training
- Provide analytics
How to Implement a Quality Cyber Security Readiness Training Plan
To be clear, technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver.
Measure Effectiveness
One in three companies invest in cybersecurity technologies without any way to measure effectiveness. Two out of three companies don’t fully measure whether their disaster recovery will work as planned