Source: neal and molly jansen via Alamy Stock Photo
COMMENTARY
There is a popular Internet tale that traces the design of the space shuttle to the size of a horse's ass. Essentially, Roman chariots were drawn by two horses and the chariots were optimized for that width. For that matter, all carriages were designed with that width in mind, as it made logistical sense. Those carriages created ruts in all roads, and to prevent damage to future carriages, all carriages were designed to fit the ruts. When railroads came into being, railroad cars were based on available carts and the tracks were designed accordingly.
Then the space shuttle engines had to be transported on railroad lines and therefore had to be sized for transportation. So theoretically, the size of a horse's hindquarters influenced the design of the shuttle. While there is question as to whether this is true regarding the space shuttle, Minuteman missiles were transported on rails, so therefore were influenced accordingly. In checking with Snopes, there is some fundamental truth to the mechanics that major transportation systems today are designed based on that surprising measurement.
What's in Your Budget?
I contend that for all practical purposes, cybersecurity budgets are the same as a horse's ass. Throughout my three-plus decades in cybersecurity, I have watched the cybersecurity budget process in industry, academia, and government. Inevitably, the budget process begins with what the current budget is and then determines whether there can be an increase for the following year.
The CISO determines if they can ask for more money, and what amount that is. Frequently, it's a percentage based upon knowledge of what management is willing to offer. They then juggle competing priorities as to how to use that budget. Sometimes, there may be a conscious determination of a couple of specific needs. They hopefully get that budget increase and balance accordingly.
There can potentially be an out-of-cycle increase due to an incident, unfavorable audit report, regulatory violations, etc. These are relatively rare, and even when they happen, budget increases are typically to account for very specific countermeasures to make it through the issue at hand.
So when you extrapolate the budget process, inevitably the current budget is based on the previous year's budget, which is based on the prior budget, which is based on the prior budget and so on. The current budget may therefore be fundamentally based on a budget from more than a decade ago.
It is also likely that the budget a decade ago was poorly equipped to handle the challenges at the time, and while the budget was evolutionary, arguably the technology increases have been revolutionary. This is much in the same way that technology has advanced, but large segments of transportation are still based on the average size of a horse's butt.
Room to Maneuver
Yet here we are. In large part, budgets carry the staple countermeasures from year to year. There is some addition for new technologies. Again, though, CISOs do a balancing act to enhance their programs, while vendors fight to displace other vendors in the budget or hope for more money to get their own piece.
To deal with the horse's ass of a budget, you first must acknowledge what you're dealing with. This acceptance is the first step in improving the situation. It should cause a reasonable CISO to ask themselves, "if I would start over, what would my budget look like?"
There's a concept from the 1990s of business process reengineering (registration required). While admittedly this is difficult, it is becoming more practical with cyber-risk quantification and cyber-risk optimization tools. But that's the subject for another article.
In the meantime, realizing that you're being limited by a proverbial horse's rear will allow you to take a realistic view of your cybersecurity program to see if it's been unnecessarily limited by historical budget constraints.