Finally, when a decision about
purchasing a cybersecurity solution or
service is made based on this approach,
there is a transparent process of
approval with higher management. This
allows a company to avoid a situation
when one employee in IT security forces
a decision to not buy the most cost-
effective and efficient solution – but,
choose another, simply because, for
example, they used to work with that
platform in the past.
Of course, the risk assessment process
differs from one company to another and
it is constantly improving. Nonetheless,
three key components – experts, risk
evaluation and a transparent decision-
making chain – remain essential to help
make budget planning more effective
and make sure that the company’s
investments in IT security are in line with
business needs.
almost as many threat models as there
are types of business, each with a
specific and ever-changing set of risks.
As risks always imply a certain level
of probability, IT security expertise is
becoming a very important part of the
risk assessment process. Here, experts
– including external ones – are invited
to evaluate possibilities and add their
input for a better informed decision and
balance the final outcome.
www.intelligentciso.com
|
Issue 21
Lessons to learn
In simple terms, planning a security
budget is similar to how different people
approach their car maintenance for next
year. As a car owner, I could just roughly
estimate the average sum for regular
expenses, tyres, tech inspection and
other such maintenance. However, as a
racing enthusiast, I know I literally need to
‘kick the tyres’ in advance: prepare for the
season and make sure I will have enough
budget for all car components (such as
tyres, brakes, etc.) that get worn out much
faster on the track. This second approach
is more mature and ultimately saves
money. But it also demands expertise,
time and dedication. All in all, here are a
few considerations when approaching an
organisation’s IT security budget:
1. When assessing risks, businesses
should look at the threats most
relevant to their industry and
company size and then plan their
budget accordingly. Access to the
most up-to-date and tailored threat
intelligence reports is invaluable in
making this work.
2. It is important to embrace expertise
(whether internal, external or the
combination of both) to evaluate
risks and the potential value of
cybersecurity solutions and services.
Kaspersky and other vendors
offer a variety of training to help
organisations improve their level of
internal expertise.
3. Outsourcing is often the best choice
for organisations that don’t yet
have enough internal expertise or
risk assessment processes. At this
point, having a guaranteed service
level agreement (SLA) and moving
expenses from CAPEX to OPEX is
a way to keep security spending
under control.
4. While an industry benchmark alone
isn’t enough information to make
a budget decision, tools such as
Kaspersky IT Security Calculator can
be a good start to dive into the threats,
measures and numbers that are worth
looking into for the organisation of a
certain industry, size and region.
When dealing with something as serious
as corporate IT security (or racing at
high speed) it’s best to take some time to
prepare in advance, consult with experts
and plan what to expect. Slow and steady
wins the race, as the saying goes. . . . u
65