David Baker, vice president of operations at Bugcrowd, believes the best defense is a good offense. "Spending money on an offensive testing strategy is a more efficient strategy from a budget and resource perspective. Organizations should consider starting at the front lines, training staff on appropriate security behavior and even doing some active social engineering testing. Moreover, organizations can train and test technical teams — engineers, developers, and IT — on good platform and configuration security behaviors through continuous proactive testing of applications and systems."
Jakobsson feels as though one area that can be shored up is email. He said email is the primary channel for 95 percent of cyberattacks. Yet, while many companies have correctly identified targeted email attacks as their primary concern, they are still relying on traditional security technologies such as spam filters, which neither detect nor prevent these types of email attacks.
“As a result, these companies are spending time and money on employee awareness training, which is rarely effective and even reduces business productivity, as employees are expected to analyze every one of the hundreds of emails they receive every day. Instead, these companies should be recognizing that their primary protection technology does not address their primary concern very well,” he said.
He said it’s essential that companies prioritize threats on a sliding risk scale and adopt, and potentially swap out, technologies according to their budgets. “Today, however, companies aren’t doing this. For example, many companies do not correctly take loss and risk into consideration,” he said.
Henderson doesn’t think companies are spending nearly enough on advanced training on their security staff. “Empowering your security teams to learn to use the tools they’ve already deployed at an expert level can improve your overall time to detect and remediate an issue, and build better job satisfaction and loyalty. It’s no surprise to anyone that good staff are hard to find and even harder to replace, so if you don’t have a set amount of cash set aside in your budget to keep those people happy… they’re going to look for greener pastures elsewhere. This is the reality in today’s cyber security job market."
Add your comments on budgeting to our Facebook page.