Where Should you focus your cybersecurity budget?


Given a limited budget, if you had to choose between technical controls or more staff education on cybersecurity awareness. Where would you focus that will deliver you the most in risk reduction?

I always feel as though you can do security awareness on a low budget through a variety of the methods so I would definitely choose technical controls over security awareness to reduce my risk.

From my experience, both areas are very important, however training is always hit and miss as it comes down to staff behavior and changing behavior (but it is an important area if you are able to have something in place). Technical controls on the other hand is something you can force and over time it does make a difference. Patching devices is one good place to start and if you have not heard of the Essential 8 framework from the Government (www.asd.gov.au), this is a good place to start your journey with cyber.

I agree that training is the follow on but initially I would be focusing on patch management and hardening of your new systems. If you dont have your environment updated from a security perspective then any training is not going to help.

From my experience, I’ll advise you to focus your budget on obtaining ISO27001 certification. ISO27001 allows identifying of security and organisational risk across the board. Even if you do not attain ISO, the mere fact that you perform an ISO audit will justify the need to spend to negate risks.

I would also add that it greatly differs depending on what industry you’re talking about as to your compliance obligations.

If you spend all of your money on awareness but you are an APRA regulated business then that maybe quite a poor choice in budgeting.

This post isn’t about #security-awareness. It’s about mindset.

Your attackers are living off the land, so why shouldn’t you too? In the physical world, living off the land simply means to survive only by the resources that you can harvest from the natural land.

In the cyber world it is the same, whether it’s an attacker using binaries (LOLBINs) that are already on your servers, or you as a defender using resources already available to you.

How much money can you save?

It’s going to cost you enterprise dollars for enterprise services. That’s a truism that applies to security awareness services such as phishing simulations.

How much is a consultant going to charge for phishing?

When I recall the phishing simulations I performed earlier in my career, clients were paying a bare minimum of $5k, and that was for a single month. So you can times that by 12, for an annual cost of around 60k but often the annual cost was much higher.

That’s not a good use of a tight budget. A phishing SaaS would be a better use of money.

How much is a phishing SaaS going to cost?

For an enterprise with 2500 people, even if you use a SaaS and your own team to operate the phishing campaigns, you are looking at ~$20-40k range. I pulled some prices off the first page of Google. I’m sure you can negotiate that down.

Living off the land with GoPhish

Let’s bring that price down to zero. Living off the land means using resources already available to you, such as #opensource phishing toolkits.

Gophish is one such tool.

Remember, it’s a simulation so you don’t need to be an expert. You don’t need spam filter evasion, you don’t need an aged domain, you don’t need to configure SPF or DKIM either. All you need to do is whitelist the sending servers or domains you use for test by configuring your own mail servers.

Get started with Docker

To see how simple it is, let’s get started with a Docker container for GoPhish.

docker run --rm --name gophish -e GOPHISH_INITIAL_ADMIN_PASSWORD=strategymix -p 3333:3333 -p 80:80 gophish/gophish

This has started up two interfaces. One is the admin interface and the other is the phishing website.

Visit https://localhost:3333/login?next=%2F

Change the password from the original “strategymix” to something else.

Enter your Email Templates, set up a new template, as shown below.

Then set up a landing page, etc…

You get the idea of how easy this would be to set up on a VPS, buy some typosquatting domains, have your own team configure it, and you just saved a slice of budget.

What about the rest of my security awareness budget?

High quality, free resources for security awareness training are abundant online.



You can even find some posters to print and put up around the office.

And more

Appendix A: Some current enterprise phishing prices


People: 2500
Enterprise pricing is AUD $42,796.99 /year.
That’s $16.46 per seat.


Example pricing tops out at a tier for 500 people of $3,800.
USD $19,000 or $28,545.98

That’s $11.41 per seat.


Pricing is $1050/month USD for 2500 employees.
So that’s AUD $18,928.16

That’s $7.57 per seat.

IMO, spending the budget on education isn’t an option till you’ve addressed risk directly. You should focus you budget on what you largest risks are. You need to identify what those risks are. Then you can judge how best to cost-effectively deal them via risk transfer to another party, risk avoidance (restructuring of activities), or risk mitigation via technical controls or new/changed procedures. To identify risk, you need to combine internal and external data to do with threats, vulnerabilities, assets, controls and impacts (if risks crystallise. Focus on your key business processes and assets first. Look at frameworks like OCTAVE, SEI SERA and FAIR. I should also say that, with spending on staff education, you soon get into diminishing returns — spending more and more gets you less and less improvement. A basic level of awareness is mandatory, though, of course.