From Budgets to Backups, Today’s CISOs Need to Be Over-Prepared

By Dean Lane, Chief Information Officer, The Institute of World Politics.

There may once have been a blip of a moment when Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) were worry-free, but it was certainly over quickly. Even in the halcyon days before cyber threats were as pervasive as they are today, those in charge still faced their own set of challenges in budgeting enough to ensure secure systems - with few attacks. Today’s rampant cyber threats mean that even small businesses must budget adequate funds for cyber security or risk potential loss. 23% of small businesses suffered at least one cyber attack in 2021, with an average annual financial cost of $25,000, as reported by the international insurer, Hiscox.

The unfortunate reality is the criminals perpetrating these attacks are often better funded than those who are trying to safeguard their organizations. Yet despite facing a very real and ongoing threat, many organizations today, regardless of size, are prone to underinvest in security, further widening the gap between their ability to protect themselves and their attackers' ability to breach their systems. According to the 2022 cybersecurity benchmarking study by ThoughtLab, 30% of participants said their IT budgets are not large enough to provide cybersecurity. Others noted that increases in partners, suppliers, remote workers, and use of the Internet of Things have all resulted in their organization’s increased exposure to cyber risk.

Some IT budgets may, at first glance, seem robust enough, but a deeper investigation reveals security is still underfunded as those organizations have instead allocated part of their IT budget to technology expenditures that are not highly visible, such as supplying executives with the latest and greatest cell phones, fastest computers, or multiple monitors. When it comes to expenditures on vital but invisible needs like security, it can be difficult to convince senior management to spend more money. As a CIO, my best attempt at convincing executives that security expenditures were relevant and important was to compare the expenses to an insurance policy. When presenting to senior management, it’s advisable to bring examples of how avoiding security expenditures can save money in the short term but can prove to be disastrous in the future.

Back in the early days, when CISOs were still buried somewhere in the Information Technology (IT) department, our technology budgets were constantly scrutinized with cuts arbitrarily made to maintain a given level. Thankfully, organizations have evolved (somewhat), but just as CISOs have been elevated to C-Suite, organizations need to also elevate their IT budgets to reflect their true importance to their organization’s success or failure. After all, should a breach occur the effect on an organization could be disastrous from a financial, reputational, societal, efficiency, and operational standpoint. 

Class action lawsuits resulting from data breaches are of increasing concern. The recent Equifax settlement has already cost the company hundreds of millions with a potential of up to $2 billion, according to a Reuter’s article, "Data Breach Class Action Litigation and the Changing Legal Landscape." Data privacy legislation and accompanying penalties to breached companies are continuing to increase. The cost of being underprepared could be catastrophic. 

Of course, all the budget in the world won’t make up for a lack of planning. As CISOs, it’s critical that we additionally plan for the, “just in case.” Smart planning can go a long way toward getting an organization back on its feet quickly. Specifically, we, as CISOs, should ensure that our organization has:

• Offsite Backups: Some organizations keep all of their data on site thinking that this is the normal way of operating.  This myth should be shattered as soon as possible! Most organizations are aware enough to perform backups, yet the data is stored on site. This does not take into account the many types of incidents that could occur: power surges, hard disk failures, fires, floods, etc. Should one of these disasters occur, an organization may be unable to access its data, or, possibly worse yet, its customer’s data, financial data, and more. A backup should be stored offsite or in the cloud.

• Restores: Don’t allow yourself to have a false sense of security simply because you have a backup stored offsite or in the cloud. Restoring backups should be conducted routinely at a set interval. Performing a restore should become routine. This is only half of the equation to completing a single step that will lower the organization’s risk.

• Verification of Restores: It is important to verify a restored backup against the production database. Just imagine if an organization has been routinely conducting restores without verification and that unknown to them, all of the restores were corrupt. When an incident occurs that affects the production database and a corrupt backup is restored, the result will not be pleasant!

• Keep Updates Current: an easy preventative measure is to apply all applicable updates to the organization’s software and hardware as they become available. Firms that provide technology are always looking for ways to make their products more secure. Releases (updates) often contain security patches and, in some cases, the update’s only purpose is related to security.

Keeping your organization secure means not only having the right people, systems, and procedures in place but also having a knack for convincing management to allocate the necessary funds because the true cost of a cyber incident will far outweigh any IT savings during budget time.