Fresh Thoughts #148: Navigating Cybersecurity Storms: The Role of Policies in Zero-Based Budgets

    Newsletter
storm clouds over the sea

Last week, I wrote about Cybersecurity Zero-Based Budgets.
A crucial tool to control the cost of implementing cybersecurity.
Where each solution and spending decision is justified and not simply "adjusted for inflation".

Ultimately, cybersecurity is a necessary cost of doing business - just like legal, finance, and HR.
We must manage cybersecurity under cost control to help drive profitability while providing sufficient security.

One area I didn't mention, but which is essential to consider, is cybersecurity policies.
The plans and statements we use to communicate to our team - "This is how we are going to work... This is what good looks like..."

It may be the endless series of early-winter storms we have experienced recently, but I remembered a piece I published in 2022.

Policies, Plans and Bad Weather

If you spend enough time outside in bad weather, you learn storms have shapes.
Small storms - squalls - can float right by and not put a drop of rain on your head.

Part of navigating a boat is going around storms.
There's no need to get wet unnecessarily.
One of the many roles a captain fulfils is to create a plan.
Navigating the storms - and ending up at the destination.

In business, there's also a plan.
But unlike a boat with a rudder and propulsion, there isn't a mechanical way to translate the plan into action.

In business, we use policies.

Policies are equal parts of what we will do and what we won't.
They're a communication tool.
...of all the infinite possibilities, here are the lines our business will work within.

Policies are lines to work within… not a list of exact steps.
They're way markers.

Cybersecurity policies say...

Do apply critical software patches within 14 days.Don't share passwords and logins between people."How are we going to achieve this?" is of no concern.

But remember, policies need wiggle room for creativity - to complete the plan and reach the destination.

Final Thoughts

Cybersecurity zero-based budgets can't only be reactive.
Common threats, lessons learnt, and the optimal mix of security solutions can't be the only areas of conversation.

Having a clear picture of how we want our businesses to operate is essential.
And part of the zero-based budget must be allocated to safeguarding that vision.

December 10, 2024
2 Minutes Read

Related Reads

an empty warehouse

Fresh Thoughts #147: Cybersecurity Zero-Based Budgets

Cybersecurity is a cost of doing business. Zero-based budgets control costs while ensuring you have all the protection you need.

chalk board with math formulas

Fresh Thoughts #18: Policies, Plans and Bad Weather

In business, there's a plan. But unlike a boat with a rudder and propulsion, there isn't a mechanical way to translate the plan into action. In business, we use policies.

Child in water

Fresh Thoughts #75: Your Policy is a Collection of Experiences

What decides your risk tolerance? Your risk assessment, policies, and processes? Or the actions of your staff?

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.
Freshsec Logo

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.

Resources

Fresh Security Support

Your Questions

Blog

Legal Bits

Your Privacy

Our Terms

Cookies

Fresh Sec Limited

Call: +44 (0)203 9255868