Let’s talk about why Chief Information Security Officers often struggle justifying cybersecurity purchases and which practical frameworks can help with such efforts.
Like other enterprise executives, CISOs must defend their budget requests. Year after year the company hears that the CISO demands money for more projects, more products, more staff. We used to justify these requests by talking about defense in depth—the notion that a single layer will eventually fail, so we must deploy multiple layers.
Defense in depth is still valuable concept, but it alone is insufficient for justifying expenses because it doesn’t help answer the question, “How much defense is enough?” Also, it doesn’t really help clarify which security layers you need.
That’s where modern security frameworks come in. A couple of examples:
- CIS Critical Controls provides consensus-based guidelines that specify minimum reasonable security measures. If any of the practices are missing from the company’s security program, a CISO can point to this list to justify the request for people, process, and technology. Note that the first control in this framework is asset management of devices, and the second is asset management of software.
- NIST Cybersecurity Framework (CSF) provides a comprehensive listing of the security measures an enterprise should consider implementing. It’s more detailed than Critical Controls. CSF groups measures into five categories: Identify, Protect, Detect, Respond, and Recover. It also provides pointers to other frameworks, including Critical Controls, NIST SP 800-53, and the mighty ISO 27001. CSF is gaining strong traction among government and commercial organizations in the US and world-wide.
How can CISOs confirm that they have the necessary tools–not too few and not too many? Critical Controls offer a nice start, but aren’t very detailed. CSF is extensive, but can be overwhelming.
The Cybersecurity Defense Matrix, created by Sounil Yu, offers a handy way to begin organizing security tools and identify portfolio gaps. This matrix can help CISOs structure their capabilities related to devices, applications, networks, data, and users. It uses CSF categories for the columns and makes it convenient to identify areas that might have too many or too few security measures:
If you know about what Axonius does, where would you place our product in this matrix? Our cybersecurity asset management solution fits squarely in the Identify column, drawing upon multiple data sources to identify devices, applications, networks, and users. And we help customers derive more value from their technologies that exist in the other columns by integrating with them to remediate asset gaps we’ve identified.
The more squares of the Cyber Defense Matrix technology covers, the more value it offers, which allows it to demand a greater portion of the CISO’s budget. Like other CISOs, I’m looking at this table alongside other frameworks to prioritize efforts related to our own security program.