How can leaders improve their cybersecurity posture when dealing with budget constraints?
Sort by:
Others already provided you with some strategies and approaches to your question. Before you spend a dollar of your budget or a minute of your staff in the name of security, I would ask these three questions:
1) What is the risk?
2) Is it the biggest risk?
3) Is it the most effective way to address that risk?
Even with limited budget, there's much that can be done - start by focusing on the basic blocking and tackling, such as understanding the environment/asset inventory, keeping up with vulnerabilities and patching (this should include some form of scanning, of which there are several tools available at low/no cost), ensuring that you have solid policies in place with a focus on credential protection and system backup and restore.
Although you do need to invest in tools and controls to fortify your posture, I would argue a great deal of tools purchased are to mask gaps in end user empowerment and engagement in your posture, as well as gaps in process/policies. You don't need a great deal of monetary investment to shore up these two critical areas.
There is always a price to pay for Security. The price is either monetary or in terms of time , effort, and process overhead. The question is, what can you afford? For the most part, significant savings in cost can be achieved by
1. tool rationalization or ensuring that you are getting the maximum from any tool/technology that you are already using by leveraging all features that it has to offer. There have been circumstances where we have leveraged L3 switches and Routers with the right configurations as basic firewalls.
2. Implement stringent processes - a lot of tools are focused on automation and workflows for activities that can be completed with discipline and process rigor (e.g. privilege management can be significantly covered with stringent authorization and approval processes, following the principle of least privilege by design, and regular access reconciliations) to make this scalable we move to the next point
3. tying in accountability of security with critical stakeholders. This helps you scale any manual processes you might have given that the organization is committed to the security program and the only challenge is the budget. Accountability reviews can be covered by periodic audits.
4. Qualitative Risk mgmt and Compliance management as an example can be done manually as long there is a structure and defined framework.
At the end of the day, let us face it, convenience and speed cost money! Quality can be achieved with some rigor in processes. The program leader needs to verify which luxury the company accord to the security program.
It is often tempting to only use COTS and commercially licensed solutions when the need and available solutions from a sales perspective are clear. However, there are many and numerous open source solutions and alternatives that can be considered at significantly lower cost. They may not be the best in class. but they may be adequate to the primary needs.