Industry Trends

The 100 Coins Exercise: Cybersecurity Priorities Advice from Leading CISOs

By Fortinet | July 29, 2019

One of the biggest challenges faced by CISOs is that there is always more that can be done to secure an organization and a finite amount of resources with which to do things. It's a common problem for security leaders. To help CISOs and other security leaders better address investment priorities about their cybersecurity portfolios Fortinet teamed up with Early Adopter Research to develop research into the choices and decisions CISOs have made.

What Is the Fortinet 100 Coins Project?

The 100 Coins research project asks leading CISOs to allocate a budget of 100 coins over 25 categories of cybersecurity capabilities. It started at the RSA conference two years ago when some CISOs were asked to allocate 100 coins, that is, units of cybersecurity spending, over 25 different categories of cybersecurity capabilities. This exercise was repeated at another conference until a total of 7 CISOs participated.

According to Fortinet's Phil Quade, the inspiration for this approach came from Quade’s experience doing similar exercises during his tenure at the National Security Agency. They sometimes use a "100 Coins" exercise as an aid for thinking about planning and resource allocation. The general idea of the exercise is for participants to suppose they had a couple of hundred things they might wish to buy, but only one-hundred coins to spend. What would they choose to buy, and why?

The resulting report captures thinking from leading CISOs about how to make the difficult decisions and tradeoffs when allocating a fixed amount of money across a portfolio. 

Running the 100 Coins Exercise with Leading CISOs

Each participant was presented with a fixed portfolio of solutions spanning 25 different categories, with items in each area assigned a value. CISOs had to make selections using their limited budget, and then explain their decision-making process.

The results of this exercise, combined with more extensive research from the Early Adopter Research team, have been summarized in a new paper entitled, “Creating the Ideal Cybersecurity Portfolio: Leading CISOs Reveal Their Priorities.”

A Peek at the Results

The report starts with the results of the 100 Coins exercise, and then provides practical advice from interviews with CISOs.

Portfolio Goals, Priorities, and Tradeoffs

In this section, the consensus is that CISOs need to avoid diving in on specific technologies and instead think strategically. Here are three areas CISOs discussed:

  • Determine the balance you need to strike between prevention, detection, and response. This decision depends on things like the kind of industry you are in, the kinds of data and resources you use, the nature of your environment, and things like digital transformation plans. The answers to these questions can have a significant impact on balancing your security strategy.
  • You also need to understand your organization’s tolerance for risk. Understanding what resources are table stakes that must be protected at all costs, their general vulnerability to different sorts of attacks, and the impact to the organization if they are compromised all help set the agenda for this part of an evaluation. Only then can you decide whether, and how much, you want to play offense, and where to play defense when it comes to acquiring and deploying cybersecurity resources.
  • The hardest challenge is that many problems don’t have easy answers. When creating a hierarchy of needs, you still need to decide whether you should address your worst-case scenarios or your most common risks. This requires scoping out any challenges and then mapping them to  solutions in place to determine which resources need to be replaced or upgraded or what critical gaps exist in your current security portfolio. This may also include evaluating enduring problems that you can't simply spend your way out of.

Aspects of the Ideal Solution

This section of the report focuses on critical qualities of any cybersecurity solution under consideration, such as making sure you match solutions to your maturity level. This needs to be done both in terms of your infrastructure and the expertise of your security team. Solutions that are too complex or require a lot of fine-tuning might be ideal for some organizations but may end up sitting on a shelf collecting dust in others. This would also include deciding if or when to adopt leading-edge solutions.

Platform readiness is another essential element that needs to be understood before deploying any technology. Can you run this technology in your environment? Can it be integrated with other solutions in place, or will it be a standalone and largely isolated solution? How well does it work across other platforms? This includes whether it can be deployed as a cloud native solution, whether it runs consistently across multi-cloud environments, and if it can seamlessly share and enforce policies and protocols regardless of where it is deployed.


This new report captures detailed thinking from several leading CISOs about how to make difficult tradeoffs when allocating a fixed amount of money across a portfolio. Processes and strategies are discussed in detail, helping CISOs as well as those seeking to better understand cybersecurity make better and more effective decisions.

Read the full report, “Creating the Ideal Cybersecurity Portfolio: Leading CISOs Reveal Their Priorities,” to learn more about how leading CISOs allocated their cybersecurity spending in the 100 coins exercise.

Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.