8.7.23 > Jeff Norem

“We have enough security budget to properly protect the organization and meet all of our risk and compliance obligations,” said almost no CISO ever – especially those at small- to midsized organizations. Most of us know budgets will always be tight, so how can we continue to improve without budget busting? Below are three ideas you can use to get more out of your security budget.


  1. Define your operating model – craft and share your security story

How good is your security program documentation? Do you have a standard control and operating procedure formats and quality? Do you have a strategy and was it made generically based on industry analyst documents or was it discussed with your peers and leadership for how security can support the business objectives? Your program documentation is all that explains your security story when you are not there to talk about it, so spend time making sure it explains your intent and approach.


Make sure your Standard Operating Procedures  are clear — and then evaluate them. The next time you bring in a new SOC analyst, see if they can complete their duties simply by reviewing the runbooks and documentation. Remember to answer these questions: What are you cyber capabilities, what are the most relevant threats to your organization and how do your capabilities help you? Not all controls and capabilities are created equal, so which are the most important and why?


Go beyond awareness. Could you better explain the security expectations to all stakeholders? It is common for teams to write a new security policy or requirement and assume that everybody (including their own teams) fully understand all the expectations to comply with the requirement. Do not assume that awareness and understanding is a given.


I often harp on controlling the narrative or telling a better story. We all know all the small, not-earth-shattering improvements we can make, do not “wow” our stakeholders or might not be headline-grabbing. That doesn’t mean they are not just as valuable. Focus on better explaining how hygiene and simple efficiencies or enhancements also move the needle. By using storytelling techniques like framing the problem or citing real-world, relevant examples, much can be done at a small cost to improve the security story.


  1. Get more out of your current tooling

If you are reading this and in security, it is a coin flip that you have a “tool rationalization” project already going. Many of us would like the get the best-of-breed or shiny innovative technology product. Take a look at your email or LinkedIn, there are many partners that are happy to help sell it to us. Odds are that you will not always have the budget to get the best point solutions and ensure they are properly integrated across your security stack. Think about how you can work with your vendor partners.  The good ones are not just selling you a tool, they are trying to help you improve your capabilities and find the right tools at the right cost for your organization’s needs.


There is no right answer on the point solutions or integrated platform question, there is just what is right for your program and organization. If you have budget constraints, less tooling to manage, update, document, audit, etc., can result in cost and time savings. Take a deep look at the functionality of your tools to see if you are getting all the value from them or if there are modules or integrations that are “good enough” so you can get rid of other point solutions. My approach has been to look at the best point solutions for the protections that matter the most and try to consolidate all of the others where I can.


If you can’t afford more outsourced penetration testing or commercial automated testing tools, ask an intern or junior analyst learn Kali or burp suite. Not only can you do some cost-effective testing, but it also engages your talent and allows them to learn.


  1. The best way stay on budget is to get the budget you need from the start!

Let us talk about cyber risk quantification.  If you are not aware of this approach to make better security decisions by looking at your cyber risk through the probability of financial loss, you are falling behind.   Use these approaches to improve your ability to justify your resource ask with financially based return on investment. How is the request supporting the business? The best way to not go over budget is to justify and get leadership to approve a realistic budget that meets your organization’s cyber needs.


A tight budget does not mean a great cyber program is impossible. With a strong vision, some creativity, quantification of your cyber risk, and partnership with your leaders, you can live within your means and meet – or even exceed – your program goals.


This post reflects the author’s opinion and does not necessarily reflect the position or viewpoint of Freddie Mac.



Co-chair of 2022 Cyber Security Summit; Deputy CISO, Freddie Mac

Jeff is a data protection and privacy leader, CISO, board member and cyber product adviser with 20+ years of experience in security, privacy, fraud and risk management across multiple industries.  He is a frequent speaker at global security and risk conferences, author and active member in the community.

Jeff holds an MBA from the University of St. Thomas with a focus in the risk leadership, is a founding member of the UST Risk Leadership Advisory Board.  Certs include: CISSP, CISA, OpenFAIR.

His focus is building security programs that allow organizations to meet their objectives through effective decision making and prioritized security investments by truly understanding their risk in terms of probability of financial loss.

Check out his LinkedIn