How to Stretch a Cybersecurity Budget to Get the Most Risk Reduction

January 18, 2019  Andrew Leach

With all the news about massive data breaches and ransomware attacks, the recent budget-setting season should have been a bonanza for CISOs seeking funding. But if your company is doing general belt-tightening, all that news may not have saved your cybersecurity budget from giving back.

If that’s your situation, now is the time to focus on this question:

How can I get the maximum bang for bucks, and applied to where bucks will reduce risk the most?  

To answer the question, many organizations are turning to cyber risk quantification, using the Factor Analysis of Information Risk (FAIR) model.  It’s a structured risk management approach that takes into account all the factors that make up risk, then generates a result showing probable annual loss exposure in dollars. That makes cost-benefit analysis possible, comparing security measures by the risk reduction they produce.

For infosecurity teams looking to maximize budget and minimize cyber and technology risk, here are some of the benefits of the FAIR model:

1.  Prioritize security tools to mitigate risk, based on financial impact to the business.

By leveraging FAIR to assess risk, organizations are able to quantify the loss exposure associated with their most important assets. This allows them to focus their budget on projects and security tools that will reduce loss exposure the most.

2.  Trend the success of security controls and programs over time, allowing stakeholders to see where budget should best be spent.

When risk is assessed quantitatively, organizations can review how successful their previous purchases have been at reducing risk by weighing the cost of the control against how much it reduced loss exposure. Additionally, understanding the ROI of their past investments helps prioritize maintenance contracts.

3.   Purchase the appropriate amount of cyber insurance for the areas where losses are the most likely.

The FAIR model is a disciplined way to answer the classic question of the Four T’s of Risk (Tolerate, Treat, Transfer, or Terminate). Using the model involves stakeholders from all facets of the business to assign an appropriate risk appetite for the various forms of loss. This makes purchasing insurance easier for cyber executives because they have a dollar amount tied to risk tolerance. In particular, the FAIR model can help you identify the higher cost but less likely loss events, the kind of risk you want to “Transfer” to an insurer.

4.  Prioritize compliance initiatives by satisfying the requirements that will provide the most value to the business first.

Whether your compliance program is a legal requirement from regulators or compliance by choice, a FAIR approach can turn this exercise from merely checking off a list to targeting risk reduction. Approaching the implementation from a quantitative risk perspective, companies can prioritize the compliance initiatives that will have the greatest impact to the bottom line. FAIR complements NIST CSF, the most commonly used cybersecurity framework; in fact, the framework’s author, the National Institute of Standards, included information about FAIR in its Industry Resources page.

RiskLens Cyber Risk Quantification is a decision-support application that quantifies an organization's financial risk exposure to cybersecurity events, based on the FAIR model. 


Win the Infosec Budget Battle: A Short Guide for CISOs

The CFO's Guide to Making Sense of a Cybersecurity Budget

Case Study: Which Security Solution Delivers the ROI?