Fresh Thoughts #147: Cybersecurity Zero-Based Budgets
- Newsletter
How do you cut a workforce by 80% and ensure the whole company doesn't collapse?
Or, more remarkably, release new features after you have done so?
I am, of course, talking about Elon Musk's actions at Twitter.
Disregarding the hype and vitriol that follows in Musk's wake, I was stumped by these questions.
That is until I mentioned it to my accountant wife...
Oh, it's obvious, zero-based budgeting.
Huh? 🫤
Zero-based budgeting is when all expenses must be justified each year, starting from zero instead of building on the previous budget. The fundamental question is always, "Do we need it?".
Oh... 🤔
I immediately realised this was the phrase I needed to join the threads of my previous conversations about cybersecurity.
Cybersecurity Is a Cost of Doing Business
I have always bristled at the idea of security as an "investment".
Investments generate money at an expected rate of return.
While writing a research paper for ECIIA and Post Italianne in 2011, I became convinced that:
Cybersecurity is a necessary cost of doing business, just like legal, finance, and HR.
It's a cost centre that provides a resilient foundation to create unique value.
No matter how I tried to position cybersecurity as a strategic competitive advantage, the idea didn't work in almost all cases.
I found cybersecurity was essential but ultimately a cost of doing business.
One that couldn't be skipped but must be managed under cost control.
And one of the best ways to implement cost controls is zero-based budgets.
Implementing Zero-Based Budgets for Cybersecurity
Like many cybersecurity conversations, the Zero-Based Budget starting point is cybersecurity threats and risks.
What risks do you face when providing services to customers and delivering your unique value?
Which do you care about?
For all organisations, the cybersecurity risks you care about will start with:
- Phishing & Business Email Compromise
- Ransomware
- Data leakage
- Password guessing
- Device theft
- ...
The solutions to address these risks are well-known:
- Timely patches and updates
- EDR and antivirus
- Backups
- Multi-factor authentication
- Monitoring and logging
- ...
The crucial point is that zero-based budgeting does not mean - No budget.
Each purchased solution and its ongoing maintenance must be justified and stand on its own merits.
With vendors packing suites of features together, this leads to useful - albeit uncomfortable - conversations about overlapping features:
Microsoft and our backup service both offer EDR/antivirus. Yet we are spending thousands on using a different EDR/antivirus product... Why?
For many businesses, there is no justification and past decisions were based on personal taste.
But for others, the conversation may be:
Based on the latest Mitre Engenuity tests, Crowdstrike has a Mean-Time-To-Detect (MTTD) of 20 minutes faster than Microsoft and worked in 5 detection scenarios Microsoft missed. This increased performance is significant for our business-critical systems, and the increased cost is necessary.
Crucially, the decision is based on a specific justification, and the outcome is clear: spend thousands on a stand-alone EDR vendor or spend nothing and sweat the licenses you already have.
Final Thoughts
Starting with the common threats to your industry or the lessons learnt from incidents creates the foundation to build a zero-based budget.
The vast array of solutions can then be considered to find the optimal mix to mitigate the risks you face.
Crucially, zero-based budgeting does not mean there is no budget.
It means a fully justified cybersecurity budget that is under cost control.
December 3, 20243 Minutes Read
