One of the biggest challenges faced by CISOs is that there is always more that can be done to secure an organization and a finite amount of resources with which to do things. It's a common problem for security leaders. To help CISOs and other security leaders better address investment priorities about their cybersecurity portfolios Fortinet teamed up with Early Adopter Research to develop research into the choices and decisions CISOs have made.
The 100 Coins research project asks leading CISOs to allocate a budget of 100 coins over 25 categories of cybersecurity capabilities. It started at the RSA conference two years ago when some CISOs were asked to allocate 100 coins, that is, units of cybersecurity spending, over 25 different categories of cybersecurity capabilities. This exercise was repeated at another conference until a total of 7 CISOs participated.
According to Fortinet's Phil Quade, the inspiration for this approach came from Quade’s experience doing similar exercises during his tenure at the National Security Agency. They sometimes use a "100 Coins" exercise as an aid for thinking about planning and resource allocation. The general idea of the exercise is for participants to suppose they had a couple of hundred things they might wish to buy, but only one-hundred coins to spend. What would they choose to buy, and why?
The resulting report captures thinking from leading CISOs about how to make the difficult decisions and tradeoffs when allocating a fixed amount of money across a portfolio.
Each participant was presented with a fixed portfolio of solutions spanning 25 different categories, with items in each area assigned a value. CISOs had to make selections using their limited budget, and then explain their decision-making process.
The results of this exercise, combined with more extensive research from the Early Adopter Research team, have been summarized in a new paper entitled, “Creating the Ideal Cybersecurity Portfolio: Leading CISOs Reveal Their Priorities.”
The report starts with the results of the 100 Coins exercise, and then provides practical advice from interviews with CISOs.
In this section, the consensus is that CISOs need to avoid diving in on specific technologies and instead think strategically. Here are three areas CISOs discussed:
This section of the report focuses on critical qualities of any cybersecurity solution under consideration, such as making sure you match solutions to your maturity level. This needs to be done both in terms of your infrastructure and the expertise of your security team. Solutions that are too complex or require a lot of fine-tuning might be ideal for some organizations but may end up sitting on a shelf collecting dust in others. This would also include deciding if or when to adopt leading-edge solutions.
Platform readiness is another essential element that needs to be understood before deploying any technology. Can you run this technology in your environment? Can it be integrated with other solutions in place, or will it be a standalone and largely isolated solution? How well does it work across other platforms? This includes whether it can be deployed as a cloud native solution, whether it runs consistently across multi-cloud environments, and if it can seamlessly share and enforce policies and protocols regardless of where it is deployed.
This new report captures detailed thinking from several leading CISOs about how to make difficult tradeoffs when allocating a fixed amount of money across a portfolio. Processes and strategies are discussed in detail, helping CISOs as well as those seeking to better understand cybersecurity make better and more effective decisions.
Read the full report, “Creating the Ideal Cybersecurity Portfolio: Leading CISOs Reveal Their Priorities,” to learn more about how leading CISOs allocated their cybersecurity spending in the 100 coins exercise.
Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.