Prioritizing Spending When Setting a Cybersecurity Budget

By Bill O’Hern, Chief Security Officer, AT&T

Serving AT&T business and government customers around the world gives me an opportunity to learn how the best cybersecurity leaders prioritize their spending on security initiatives.

Find it on Apple News

Discussions with customers usually begin with their observation that AT&T plays a central role – as an internet and mobile service provider – in supporting the protection of their data and resources. With AT&T 5G services becoming such a major part of network infrastructure, this isn’t a surprise, and we are proud to be part of the equation.

But eventually, we get around to their overall security program. And while every company has different objectives and associated threats, I’ve noticed one key aspect described by the most experienced security leaders: an attention to mission.

These leaders tell me that they design and prioritize their programs based on the highest-level objectives of their organizations. And as any military expert will attest, this is called being mission oriented.

With other organizations, however, I find their rationale more focused on threats. For example, as tensions rise for some cyberthreat such as ransomware, and as organizations within a sector see increases in a particular attack vector, many AT&T customers will shift their protection accordingly. This involves being threat oriented.

The Federal team at AT&T, for example, has great experience helping customers defend against shifts in malicious threats from adversaries. Military groups have had to employ this tactic for years – and it is certainly a factor in designing a great cybersecurity program.

A third opinion often emerges in my discussions with high-tech start-ups and venture capitalists. These experts often point to new technologies, products and services as being central drivers in establishing good security programs. In our laboratories at AT&T, we recognize this emphasis. It is called an innovation orientation.

What I’ve come to conclude from these customer discussions is that all three factors are essential to prioritizing your enterprise security program: missionthreat and innovation. These factors collectively provide balance to security leaders who seek to optimize their protection architecture and associated  policies, programs and practices.

And they drive three simple questions that your own enterprise team can use when it comes to prioritizing how security budget should be allocated. Specifically, each question can help determine whether a proposed security investment should be considered high, medium or low priority.

  1. Does this security investment clearly enable successful support for our overall mission?
  2. Does this security investment clearly enable successful defense against a known or expected threat?
  3. Does this security investment clearly integrate a key innovation that can enhance our ability to support the mission and mitigate threats?

When I show this framework to security experts, they will note that the questions correspond to basic cyber-risk management. They will point out, for instance, that risk is defined by consequence, which is driven by mission. And that risk is also defined by likelihood, which is driven by threat and defensive innovation. Risk models such as FAIR (Factor Analysis of Information Risk), for example, use exactly these factors, expressing consequences in financial terms.

Whatever one chooses to call the strategic approach, my best advice to enterprise security leaders is to include all three factors – missionthreat and innovation – in all spend prioritization efforts. The result will be a balanced scheme, one that can be effective in helping to handle shifting attacks while also being flexible enough to enable business goals.

Our team at AT&T is always ready and available to help our enterprise customers to determine their strategic approach. AT&T products and services are designed to provide enhanced security against attacks to networks, such as denial of service, and threats to data, such as ransomware.

Good luck with your own cybersecurity prioritisation planning, and we look forward to assisting this important protection initiative.