Cost Effective Security

This article is about how security can be implemented in a cost-effective way adding benefit to the business, however, it needs to be driven from the senior leadership of the organisation. This might come across as a bit of letting off steam and with that said and in the words of the human torch “Flame on”.

The cybercrime industry generated at least $1.5 trillion in revenue in 2018 if cybercrime was a country, it would rank 13th in terms of its GDP in the world. In 2021 it is predicted to $6 Trillion this would rank 3rd in world GDP and has designs on being 1st.

Businesses need to take the economic impact of cybercrime more seriously.

As a director of the board, I am sure you have been reading the news and watching media and most certainly have seen activity around COVID-19, this global event has had a profound impact on your organisation and a complete change of culture overnight most likely driven by yourselves. And not many were prepared for this.

The reason? there was no choice you was ordered by the government to shut your offices and let everyone work from home. In a similar vein you file and pay taxes you have no choice it would be deemed as neglect if you did not, along with the high chance that you will be made personally liable. 

Now we come to cybersecurity, something that has the capability of having a profound impact upon the organisation, although there is regulation it does not go far enough. Directors need to be personally liable for their neglect if they have refused or did not want to fund or resource their cyber function. saying it won’t happen to you is a fallacy, Just ask British airways, Marriot, Virgin Media, Microsoft, Facebook, T-Mobile several Metropolitan cities in the United States and countless others. (Reference

To be told about significant risk and doing nothing about it citing budget constraints is not an excuse personly I believe that directors of companies fail to address the basic need of cyber hygiene should be found in neglect and at least disbarred if not penalised personally, however, i think this will come.

So the question of what can you do with a limited budget, actually you can do quite a lot.


Someone from the senior management needs to be accountable for cybersecurity if you look at how all the cybersecurity risks manifest it will be financial so accountability if there is no risk role in senior management, should be a least the Cheif Finacial officer or equivalent. I will state this for the record Security does NOT belong under technology i.e. CIO or CTO it needs it own reporting lines to provide the counterpoint.

Have the senior leadership sign up to a security policy statement top set pout the intent for security, There are plenty of examples on the internet or contact us and we will send you an example. 

Undertake a risk assessment doesn’t have to be perfect but alined with ISO27001 or the NIST cybersecurity framework should give you ideas on areas that will need investment, from these policies can be created again plenty of examples on the internet however they need to align with current company policies and not be a stand-alone set.

the activities are relatively inexpensive if performed in-house all it is is time and effort. 

Security education 

Education is probably the cheapest with the biggest impact talk to the users explain why cybersecurity is needed and why they need to keep the company data safe they can also use this knowledge to keep their own data safe. Lunch and learns are always a good start and a way for the staff to engage. My view is mandatory staff training doesn’t always have the desired effect, retention ios mostly minimal. Walk around the office and talk to people and be a cybersecurity evangelist, you may find some members of the staff have an interest get them to sell the good story of cybersecurity. Again none of this will impact budgets its only time and resource. Cybersecurity is a business transformation and will take time, tools will not solve the problem, they help the user to become reliant upon them, for example, the anti-malware you all have protecting the user’s laptops, why do they need to check anything when they have anti-malware and expect it to protect them, users are too reliant upon the tools and become lazy.

Reuse current capabilities

if you were to look about your estate I’m sure you will find tools and applications in use that would provide security capabilities might need some configuration might need a licence. Many of you will have moved to Office 365 that have many features that can be used to protect and defend against malicious activity already included in your current licence.

I myself like to build security capabilities in what a call a security eco single or multi-point tools that integrate and work together. But utilising current capability enables you to baseline what you have.

Again this can be measured I would suggest the MITRE ATT&K matrix or the CIS top 20 this would measure how effective the controls are.

Download our Risk Management as a Service white Paper Download

Matt is a global CISO with 20+ Years of Directing International Security Programmes for Multi-Billion Pound Organisations. With a passion for security and a cybersecurity evangelist.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.