As we have worked with clients in the back half of 2016, we have started to help them think about their 2017 strategies. There are a couple of major themes we see again and again that are interesting.
We commonly see that getting budget allocated is something that is reactionary. Often next year’s budget is 2016 + 10%. We generally assert that our threat models have been wrong for years and that our adversaries, dependence on vendor tools and other key assumptions mean that this years budget was so far off that there is no way a 10% change will fix it. We tend suggest that our partners leading security teams stop and develop their own mental model for how to come up with a budget and then ask for that – without reference to past years or numbers.
We are big fans of the OWASP Maturity Model conceptually. We find that in many cases it can be helpful to step back even further to think about top level areas in a simpler way. As an example, people that come from compliance tend to favor spending in certain ways – while people that come from network tools tend to favor other kinds of spending. We can help make sure there is a broad mental model so that investments can be conscious tradeoffs and not a reflection of past biases.
To that end, we have developed a modeling process where we build a dashboard and talk through it with clients.