Rethinking Cyber Security Budgeting

Imagine cybersecurity managers as the architects and builders of a fire station. Just as firefighters are constantly battling flames, cybersecurity professionals are continuously firefighting against threats and breaches. However, it's not enough to react to fires; successful firefighting requires a well-organized, prepared, and well-trained team equipped with the right tools and knowledge for the fires they expect to face—be it a high-rise inferno or a forest blaze. Similarly, cybersecurity managers must approach their budgeting as if constructing a firehouse, considering the right mix of personnel, threat and malicious actor understanding, training, and continuous exercises. Teams need to balance offensive and defensive capabilities optimized for the specific threats their organization is most likely to encounter with acceptable business risk.

Breaking Away from Historical Budgeting

For decades, cybersecurity teams have often followed a top-down budgeting process—typically adjusting the previous year's budget by a standard percentage—regardless of changing threat landscapes or business needs. This method does little more than perpetuate past decisions and fails to align spending with actual business risks and security necessities. As cyber threats grow in complexity and potential impact, organizations must rethink their defensive and offensive strategy mix and how they budget for these activities.

Using the Cyber Defense Matrix created by Sounil Yu can be a transformative step for cybersecurity teams looking to optimize their strategies beyond the traditional budgeting process. By investing 5-10 minutes to plot their current security tools and processes within this matrix, teams can swiftly identify gaps and overlaps in their defenses without needing an immediate, comprehensive test. This visualization aids in understanding how resources are currently allocated across different domains, such as identification, protection, detection, response, and recovery. This approach encourages a more dynamic and efficient allocation of resources, directly addressing the organization's unique security needs and breaking free from outdated budgeting practices.

The Case for an Evidence-Driven Security and Risk-Aligned Budget

Aligning cybersecurity budgets around evidence-driven security and business risk (and acceptable thresholds) offers a far more strategic approach. By defining what an organization considers acceptable risk, cybersecurity teams can effectively define their strategies and investments to protect against unacceptable risks. This alignment ensures that funds are spent on the most pressing threats and preparing for potential vulnerabilities that could lead to significant business impact.

Examining risk further, teams can assess Cyber Risk = Likelihood x Impact, where Likelihood is composed of Threat x Vulnerability x Value.

Using Advanced Metrics for Informed Budget Making

To move towards risk-aligned budgeting, organizations should employ more sophisticated financial and risk assessment tools:

1. Annual Loss Expectancy (ALE): This calculates the potential loss from cyber incidents within a year, providing a base figure for understanding the financial stakes involved.
2. Return on Security Investment (ROSI): Evaluates the financial effectiveness of specific security investments, helping to justify cybersecurity spending by showing how expenditures will decrease the likelihood and impact of potential losses.
3. Cost-Benefit Analysis (CBA): Offers a broad view by comparing the costs of security investments against the benefits they deliver, ensuring that each dollar spent adds value to the business.
4. Cyber Value-at-Risk (Cyber VaR): This estimates the maximum expected loss from cyber events, providing a worst-case scenario perspective that can help in understanding the most critical vulnerabilities.
5. Threshold of Pain: Determines the financial impact level the organization can tolerate, which is crucial for prioritizing investments in cybersecurity measures.

These metrics provide a clear picture of where the money needs to go and help articulate the necessity and effectiveness of each investment to stakeholders. To calculate the necessary cybersecurity budget, you can integrate the insights using the following formula: 

Budget = ∑(Cost_j + Budget Adjust for VaR_j) for all j where Net Benefits_j >0

The Balance Between Defensive and Offensive Strategies

Rethinking budgeting can be an exercise to rethink your offensive and defensive mix. While defense will always be a cornerstone of cybersecurity, there is growing recognition of the value of offensive strategies, such as penetration testing, red teaming, and proactive threat hunting and emulation. This shift involves a more subtle approach, where offensive methods don't just supplement defense—they can replace less effective controls/tools, optimizing resource allocation and enhancing overall security posture. These techniques help identify, prepare, and mitigate potential threats before attackers can exploit them.

The Case for Offensive Cybersecurity

Offensive cybersecurity involves actively seeking out vulnerabilities and potential threats before malicious actors can exploit them. Organizations can proactively identify and remediate security weaknesses by simulating various attacks, and improving their teams' preparedness. Here are key ways in which offensive strategies can augment or even replace traditional defensive methods:

1. Penetration Testing vs. Continuous Monitoring: Instead of relying solely on continuous security monitoring (i.e., anomalies, malicious files, etc.), offensive testing helps expose monitoring gaps. This proactive approach can uncover exposures that deployed monitoring might miss, providing a more dynamic and responsive security strategy, before any business impact..
2. Red Teaming vs. Intrusion Detection Systems (IDS): Red team exercises emulate real-world attacks on an organization's network to test how well the system can withstand an attack from a skilled hacker. While IDS can alert you to potential breaches, red teaming provides a comprehensive assessment of how those breaches can occur and the potential damage they could cause. This can inform more effective, tailored defensive strategies that are proactive rather than reactive.
3. Bug Bounties vs. Security Audits: Encouraging and rewarding external cybersecurity experts to find and report security flaws can be a cost-effective addition to conducting regular security audits through external firms. Bug bounties leverage the global security community to identify exploits faster and more efficiently, often at a lower cost than traditional audits. However, they can not replace good cyber security best practices, focus, and execution. Also, if you activate a bug bounty program, you must create a public vulnerability disclosure policy. 

Optimizing the Mix for Better Outcomes

To truly benefit from these offensive strategies, organizations need to consider how they can integrate them into their existing security framework to either enhance or replace underperforming/ineffective parts of the cyber architecture. This requires a strategic evaluation of which aspects of their current defense might be outdated or less effective and where offensive strategies could yield a higher return on investment.

1. Outcome-based Evaluation: Shift the focus from traditional metrics like the number of attacks blocked to more dynamic, evidence-driven metrics such as the number of vulnerabilities discovered and fixed. This approach not only helps in quantifying the impact of offensive strategies more accurately but also provides concrete evidence to justify their inclusion in the cybersecurity budget. By measuring what truly matters—tangible outcomes and improvements in security posture—you ensure that the allocated resources are effectively enhancing your defenses.
2. Resource Allocation: By assessing the effectiveness of current defensive tools against the benefits of offensive measures, organizations can reallocate resources in a manner that maximizes their security ROI. For instance, if penetration testing consistently uncovers certain types of vulnerabilities that passive defenses miss, increasing the frequency of these tests while scaling back on less effective defensive tools could be a more efficient use of resources.
3. Training and Skill Development: Investing in training for offensive security skills within the cybersecurity team not only diversifies the capabilities of the team but also enhances their understanding of how attacks are constructed, leading to better defense strategies. Most analysts and organizations highlight the lack of cyber talent in the labor market but not enough discuss the need to train the next generation of cyber defenders.

Balancing the mix of defensive and offensive strategies within the budget is critical. Each organization's balance will differ based on its specific risk profile and industry characteristics. By using the aforementioned metrics, teams can make informed decisions on how much to invest in proactive versus reactive measures.

Encouraging Creativity and Strategic Thinking

Moving away from a traditional budgeting approach allows cybersecurity teams more flexibility to be creative in their strategic planning and focus on what is understood by the business–risk, impact, revenue, and profit. Security teams must explore innovative security solutions that offer better protection and cost-efficiency and move away from the status quo. This can include investing in new technologies, customizing security solutions, or even reallocating resources to areas with higher-risk exposure.

Conclusion

For organizations looking to stay ahead in the digital age, rethinking cybersecurity budgeting is not just beneficial—it's necessary. By adopting a more analytical and risk-aligned approach, organizations can ensure their cybersecurity investments are both strategic and adaptable. Employing metrics like ALE, ROSI, CBA, Cyber VaR, and Threshold of Pain transforms the budgeting process from a routine administrative task into a strategic tool that enhances the organization's security posture. This shift not only addresses the financial aspects of cybersecurity but also supports a broader organizational strategy that views effective cybersecurity as a cornerstone of business success and resilience.

Author Attribution: 

Written by Marc Brown (@marc_r_brown), SCYTHE’s VP of Product & Sales, dynamic leader with diverse executive roles, startup enthusiast, lover of technology, innovation, and all things ‘nerdy’ cool. 

Contributions By: 

• Bryson Bort, SCYTHE Founder/CEO
• Kevin Phillips, Paladin Strategic Advisor and Mantech Chairman of the Board
• Jim Webster, Director of Federal Programs, SCYTHE