@ISACA Volume 26  23 December 2019

Analyzing Cybersecurity Spending in Depth

By Jack Freund, Ph.D., CISA, CRISC, CISM

The US fiscal year 2020 presidential budget for cybersecurity-related activities is set at US$17.4 billion. This represents a 5% increase over the fiscal year 2019 budget and amounts to approximately US$53 for every person in the United States. More is actually spent, but due to the clandestine nature of some government work, the full budget is not reported publicly. By way of comparison, Bank of America is reported to spend approximately US$500 million annually on cybersecurity, or about US$2,400 for each of its employees. For its part, JPMorgan Chase spends approximately US$2,000 on cybersecurity for each of its employees. In aggregate, there is a forecast of US$1 trillion in worldwide cybersecurity spending over the 5-year period of 2017-21.

Naturally, organizations that are not as well capitalized (or have taxing authority) will spend considerably less on their cybersecurity programs. In your organization, you may be fighting for additional budget for the things that you need to defend the perimeter from cyberattacks and the interior from nefarious insiders. So many controls need funding that it may seem there is never enough money in the budget to cover all needs. As an example, the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 rev 4 shows 115 low-impact controls, 159 moderate-impact controls and 170 high-impact controls. Fully implementing these controls in all the relevant locations to the extent necessary can be extremely costly and time consuming.

Indeed, many will begin implementing these controls and never arrive at the end of their implementation cycle. Daily cyberhygiene, patching, upgrading and putting out fires takes time and momentum away from the control implementation projects an organization may have. Add to that the fact that the organization in which you operate has its own agendas to pursue its strategic objectives and, in the end, one will likely never be able to implement all the controls with the budget in place. The good news is that professionals will not need to do so.

Such “gotta catch ‘em all” control implementation checklists (often disguised as security maturity measures) exist in a world with an unlimited amount of money, time and staff. Unfortunately, we live in a different world that requires rationalizing where money is spent on limited resources. This kind of reality requires a different approach. In any environment where resource allocation faces scarcity, economic principles must be applied. In security, applying a cybervalue-at-risk (VAR) cyberrisk quantification (CRQ) methodology such as the open-source Factor Analysis of Information Risk (FAIR) cybersecurity framework gives you a way to focus on the riskiest scenarios. A fully formed risk scenario will contain a statement of loss that helps top leadership in your organization focus on what is imperiled along with why it should be funded. Further, relevant control solutions (such as those from NIST SP 800-53) can be paired with loss scenarios to enable decision-makers in the organization to make a fully informed choice: Invest in one of the control solutions or accept the potential losses associated with inaction.

Managing information security this way fundamentally changes the conversation with stakeholders. Instead of requests appearing like a collector’s wish list, it gives executives the ability to make nuanced choices and puts them in the driver's seat. Economic cybersecurity decision-making has the added benefit of maturing other areas in your organization. It compels higher-quality discussions about what is acceptable risk in pursuit of organizational goals. Instead of pursuing spending in depth, justify cybersecurity budgets using economic measures that are meaningful to the organization’s business objectives.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director of risk science for RiskLens, a member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.


How to Manage I&T-Related Risk Using NIST and COBIT 2019


Getty Images

IT and operational technology (OT) create value and promising opportunities for enterprises today—they are no longer just support mechanisms for key resources. But as information and technology (I&T) processes and infrastructure have progressed and become more interconnected, the attack surface has expanded. Consequently, enterprises in industries such as finance, retail and energy need to rethink their management of I&T-related risk.

Many enterprises recognize that cybersecurity attacks have become more frequent but lack an approach to mitigate them that integrates cybersecurity standards and enterprise governance of I&T (EGIT). To provide you with best practices to anticipate, understand and optimize I&T risk using cybersecurity standards and EGIT, ISACA has developed the book Implementing the NIST CSF Using COBIT 2019, which walks you through implementing the US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity using COBIT 2019. This book also explores how applying the NIST Cybersecurity Framework (CSF) in the context of COBIT 2019 can enhance communication and transparency around I&T risk management and allow enterprises to evaluate their priorities effectively.

To learn more, download this book by visiting the Implementing the NIST CSF Using COBIT 2019 page of the ISACA website.


CISM: The Key to Entering Executive Leadership

Michael Kearns Shares His Experience as a CISM

In 2018, Michael Kearns, CISM, chief information security officer (CISO) for Nebraska Methodist Health System, evaluated options to make himself more employable in the next decade. After researching the most desirable certifications security professionals should hold and acquiring many years of management experience in IT security at Syracuse College (New York, USA), he decided to pursue the Certified Information Security Manager (CISM) certification. Kearns says the CISM certification was the key to landing an executive leadership position. “I am currently the CISO for Nebraska Methodist Health System in Omaha, Nebraska, USA, and, without this certification, I would never have been considered for this position. The certification was a requirement for the role, and the certification has made me a much better CISO. Prior to my current role as CISO, I was unable to move into an executive leadership position even though I held a master’s degree in information management. The CISM certification has made all the difference.”

Since becoming a CISM, Kearns notes that he has gained confidence in himself. Becoming a CISO, he explains, also increased his earning potential, and allowed him to save more for retirement and better evaluate risk vs. reward in financial decisions, such as home purchases. Overall, it has helped him feel more secure in his future and in the present—he says his current CISO position is his dream job.

Kearns says he cannot emphasize the positives of being a CISM enough. Not only has it helped him be recognized as an expert, it has opened the door to support from the ISACA community. When Kearns moved from New York, USA, to Nebraska, for his current position, his boss came to him with a dilemma: His boss had grant money to hold a security conference, but only had 2 months to organize it or he would forfeit the grant money. Kearns called on his fellow ISACA members. “I reached out to my new ISACA friends here in Omaha and they told me, without hesitation, that they could assist with organizing the conference. The local cybersecurity conference went off without a hitch and was a huge success all because local ISACA members stepped up and made it happen.” Needless to say, Kearns is extremely grateful for the ISACA Omaha Chapter members.

Kearns recommends that, “If you want to be considered a true professional, then the CISM certificate is for you. It makes you a better security expert, more knowledgeable, will advance your career, and carries respect among employers and coworkers.” In his position, Kearns believes in the certification so strongly that he requires all his staff to pursue either the CISM certification or the Certified Information Systems Security Professional (CISSP) certification.

To learn more about ISACA certifications, visit the Certification page of the ISACA website. 

Women Influencing Tech as a New Decade Brings More Change

New From SheLeadsTech

The end of a year—and the end of a decade—offer the opportunity to pause and reflect, but also to focus on the future and imagine how work lives and enterprises might change and evolve.

SC Magazine UK recently released a list of 50 women of influence in cybersecurity in Europe. These women are among the leaders who will ensure that new technologies are adopted safely and securely and help enterprises succeed in a rapidly changing technology landscape. The list includes 13 ISACA members and leaders:

  • Jenny Boneva, CISA, vice president of and SheLeadsTech liaison for the ISACA Sofia (Bulgaria) Chapter
  • Biljana Cerin
  • Phedra Clouner
  • Daniela Gschwend, CISA, CRISC, CGEIT, president of the ISACA Switzerland Chapter
  • Peggy Heie, CISA, CRISC
  • Enkeleda Ibrahimi
  • Sanja Kekic, CRISC, president of and SheLeadsTech liaison for the ISACA Belgrade (Serbia) Chapter
  • Anastasiia Konoplova, CISA, president of the ISACA Kyiv (Ukraine) Chapter
  • Loredana Mancini, CRISC, CGEIT
  • Pelin Pehlivan, CISA, CRISC, SheLeadsTech liaison for the ISACA Istanbul (Turkey) Chapter
  • Anette Roll Richardsen
  • Rudite Springe, CISM, CGEIT, SheLeadsTech liaison for the ISACA Latvia Chapter
  • Andrea Zengo, CISA, CISM, SheLeadsTech program chair for the ISACA Budapest (Hungary) Chapter

These women were evaluated across a spectrum of accomplishments including published works, speaking engagements, cybersecurity expertise, current and past roles, and prominence within open source and social media activity. Many of these women are involved with the SheLeadsTech program, and all serve as examples of the breadth of expertise that enterprises need as they move into the next decade.

Kekic spoke at the 2019 EuroCACS/CSX conference about the skills that are needed to help transition enterprises at the same pace as emerging technologies. “The professional landscape is changing, and we all need to be prepared for what is coming next,” she said. “We are going to see that our technical skills will move into more specialized areas. Additionally, our profession has access to a lot of data and the tools needed for hacking. We are going to need to pay closer attention to ethics in our field.”

Kekic, the other women on SC Magazine’s list of 50 women of influence in cybersecurity in Europe and women like them around the world will help navigate the next decade of tech, including how professional roles will change in the wake of increasing use of artificial intelligence (AI) and automation.

ISACA’s SheLeadsTech program seeks to increase the representation of women in technology leadership roles and the tech workforce. To learn more about the program, log in and join SheLeadsTech on Engage.

A version of this article was originally published on the SheLeadsTech website.