Let’s face it, for most of us, budgeting is not our favorite task. We have selected this role because of other strengths. The accountant down the hall is the one who enjoys projections and number crunching, not us. Regardless, this must be done and there are plenty of variables and challenges to think about and address while doing it.
Each of our respected institutions run and operate differently. For all of us, however, cybersecurity is an area that must be addressed. While budgeting, it can be difficult to express the importance of increasing investments toward an area that won’t show executives direct monetary returns. As we all know, our information security budget only skyrockets after a breach or incident, so how can we efficiently budget what is needed to improve our security posture?
Before we spend a dollar of our budget or an hour of our time on anything in the name of cybersecurity, we should know the answer to these 3 questions:
Where do we stand on this item?
Is our current approach an effective and beneficial fit?
Finally, what are our top priorities?
Where Do We Stand?
Within cybersecurity, the financial industry has been forced to capably answer this question better than any other area of business. Exams, IT audits, security testing and risk assessments are, or should be, continuously letting us know how well we are keeping up with risk. Based on these requirements, we should understand where improvements can be made. If this is not the case, it means one of two things. We are either extremely proactive and need to evaluate our costs in each area, or we may not have the correct eyes reviewing our process and procedures.
No matter the case, changes and improvements need to be made within our information security program on an ongoing basis. Cybersecurity risks are not remaining stagnant, in fact quite the opposite. To keep up, we must prioritize areas of improvement and budget accordingly.
Is Our Current Approach an Effective and Beneficial Fit?
While cybersecurity issues are relatively new related to other issues surrounding financial institutions, many of us have already become complacent with certain aspects of our information security program. For some institutions, it may be as simple as outdated policies. For others it may be old-fashioned annual employee training regarding social engineering, instead of adopting ongoing training platforms. Reviewing our processes and procedures are not enough. We must understand our vendors along with their cost and benefits and compare them to the evolving options in the marketplace. What is out there may surprise us, both from a cost prospective as well as an efficiency standpoint. Saving time and/or money on current process will allow these resources to be used in advancing other areas and focusing on improvement priorities.
What are Our Top Priorities?
The time is now. Having worked with hundreds of financial institutions, I’ve had the same conversation countless times, “…the board of directors have a high priority on information risk, but I don’t have enough room in the budget for…”. This can be acceptable, but only once our priorities have been achieved and we have reached the progressive level of achievement. High priorities and a low budget likely do not equal efficiency and production. We cannot forecast all the needs that may arise in the future, but we must address the priorities on our radar today.
Communicating with directors about our institutions priorities regarding cybersecurity is the most important first step. When bringing budgetary items for approval, we can then tie our requests back not only to the financial implications, but also to the stance that the institution takes on information security. If we change this conversation from being strictly a matter of budget and resources to a matter of priorities and efficiency, everyone wins.
At Rivial, we enjoy assisting clients through each stage of this process. If you’d like support continuously auditing, monitoring, assessing, and quantifying your current risk; or prioritizing, budgeting or improving weak areas, please use us as a resource and we will help guide you towards efficient data security management.