By
The need to add cyber security to an organization’s annual budget is readily apparent to most enterprises. But how a CISO allocates and justifies that budget is never quite so straightforward.
Unlike marketing, sales, engineering and support – where ROI can be more easily explained – the math of cyber security’s ROI is not simple. However, with the cost and incidents of data breaches increasing by the minute, ensuring budgeting and spending it appropriately is more important than ever for today’s CISOs.
Creating a Cyber Security Budget Breakdown
The amount of money businesses spend on cyber security relative to their total budget varies widely from industry and organization to organization. As such, it is difficult to determine the amount or percentage to be requested by the CISO.
However, there are generally five main categories that all organizations should consider when allocating their cyber security budgets:
- compliance. Some compliance regulations determine security budget allocation. In the healthcare sector, for example, HIPAA defines data privacy and security requirements to protect individuals’ medical records and other personal health information. To meet these requirements and avoid potentially hefty fines, CISOs must spend budgets on specialized equipment and technologies. In the HIPAA example, this includes data classification, encryption, and lifecycle management.
- Ongoing current risk assessment. Active CISOs must continuously monitor the effectiveness of security controls in their environment and check against prevalent attack vectors. If risks go above pre-agreed thresholds, the CISO will need to seek further budgeting to assess the risk and discuss the risks with management, or to re-allocate the budget to higher risk levels. have to agree to accept. Tools and services to budget in this category include cyber insurance, penetration testing, bug bounty initiatives and incident response.
- Safety training underway. Safety training is no longer an event on the annual Compulsory Compliance Checklist. It is imperative that every employee and contractor is involved in making this a continuous effort. Using public shaming or fear to motivate employees is not effective. Instead, cyber security training needs to be memorable and fun as well. Forward-looking CISOs partnered with their business-line counterparts to make this a frictionless yet effective exercise.
- New initiative in business. Any new business initiatives adopted in the CISO’s company should be evaluated and a security budget implemented, if applicable, to ensure that the company and its new customers remain safe. For example, marketing departments may outsource content creation to a third-party provider overseas, or customer support may decide to store all customer support matters in a cloud storage platform. Both of these scenarios present additional risks, which must be addressed by the CISO and security teams prior to implementation.
- Change in business priority. It can be related to people, technology or monetization. From a people perspective, an example of a business priority shift is the hybrid or in some cases, sustainable work-from-home model and the ongoing adaptations required to maintain cybersecurity best practices. From employee onboarding – and offboarding – to employee use of shared home routers, local offline data storage, personal devices and video conferences to home privacy needs, all require security optimization and budget redistribution. Examples of technology shifts include the move to the cloud or from a single provider to a hybrid or outsourcing engineering; Each shift demands re-evaluation and budget redistribution.
How much is allotted to each category depends on various factors. For example, new compliance rules may increase spending in that category for that year. One example is the rising cost of data privacy driven by the CCPA, which came into force on January 1, 2020, and enforcement took effect from July 1, 2020. Additionally, a new investor or new CEO can change the risk appetite of the company, causing a corresponding increase or decrease in what the organization spends on security and thus how much the CISO allocates to individual security categories.
6 Cyber Security Budgeting Best Practices
Understanding the present and planning for future needs is the key to more effectively managing an information security budget. The following six steps should give the CISO a good control over budget allocation and justification:
- Understand how the budget is currently being allocated. Create a complete list of current products and services, along with daily, monthly, and annual expenses for each. Before the advent of cloud and subscription-based models, this was a much simpler exercise. Nowadays, with on-demand buying and commissioning, this task takes a lot of effort. And it needs to be done periodically — not in an annual renewal schedule, where vendors want you to sign a contract with a renewal deadline.
- Monitor, monitor, monitor. After conducting an exhaustive inventory, put in place procedures to continuously monitor the effectiveness of equipment and cybersecurity services, as well as processes to fine-tune, reconfigure or shut them down when needed. Note that product pricing and renewals cannot be based solely on activity or lack thereof. For example, products like phishing protection tools may be battle-tested every day, so their need is clearly justified, while other products, such as DDoS or ransomware attack defense systems, may not see use for months, If ever. Instead of judging by activity solely, look at industry statistics and competitors targeted to help decide whether a product or service is worth discontinuing. The move is also an opportunity to assess new and more cost-effective products or services – when there is no activity, swap-outs can be less risky.
- Be a storyteller, advocate and confidant. As fellow associates across businesses and functions to increase efficiency and drive revenue and engagement, CISOs can be an invaluable resource. For example, CISOs may run a full risk report on current products and services in use in a particular department and use this as an incentive so that their partners are not only exposed to potential cyberattacks on those products or services. To understand the effects, but to show them. How to reduce those potential risk impacts. This practice creates a more cost-effective and forward-thinking approach for CISOs and their partners alike.
- Prepare for the unexpected. The budget may expand or shrink due to unforeseen events. For example, the Log4j vulnerability suddenly expanded the scope of a CISO’s responsibilities to include libraries being used throughout the organization and its security implications. Such an incident could increase the cyber security budget. Conversely, CISOs who are not actively advocating for how and why their budget is being spent can quickly become a target when there are organization-wide budget deficits.
- Manage salary effects. In the hot cybersecurity job market, where it is difficult to find qualified professionals – see the following steps for one way to address this – there may be a tendency to pay higher salaries to attract talent. However, this can have direct negative consequences when head-count reduction is required. When OPEX reduction targets are to be met and head-count reduction is required, most companies want to keep the number of people affected to a minimum. And, if fewer people can be affected by focusing on a handful of highly paid cybersecurity personnel, your team becomes an obvious target.
- Find and nurture talent. An obvious way to both recruit and retain talent at a reasonable cost point is to invest in communities that may be eager to join the workforce, but may not have been provided with the opportunities expected. For example, veteran communities, local community colleges, career switchers, etc. Investing in these groups takes time, budget, and effort, but the payoff can be worthwhile and long-lasting.
Will the cyber security budget increase or decrease?
The answer to the big question – will the cyber security budget increase, decrease or remain the same? – Of course there is: depends on, Some of the triggers that have an impact on the budget include the following:
- pandemic effect. One of the biggest impacts of the COVID-19 pandemic is the ever-changing hybrid model of permanent remote working or even more challenging in some organizations. Another trend is the great resignation, as well as the ongoing economic turmoil and, with it, the continuing challenge of security issues with disgruntled employees. These challenges usually result in an increase in the security budget because the reputation and financial damage they can cause is substantial.
- Automation to replace or enhance man. Coinciding with the perceived talent shortage is our growing ability to collect, mine and build effective AI-based prediction models. But it starts with collecting data to make the model effective. For example, threat hunting and bug bounty programs are expensive, and the returns cannot be estimated. AI-based models can be built to last, and budgets can be increased gradually as their effectiveness in uncovering and addressing issues is proven.
- CISOs remain effective storytellers and provide context. CISOs who have been successful in strategically and thoughtfully raising budgets are adept at adapting their security narratives to audiences. For example, in presenting a diverse board representing different industries, it can be effective to provide each member with a story that pertains to their industry lineage and a business issue to which they can relate. In doing so, you pave the way for a more fruitful conversation when there is a breach that needs to be explained or there is a new initiative requiring cybersecurity investment.
- financial crisis. This new reality can have an immediate and huge negative impact on any security budget. Preparing for an economic downturn and having a priority list of what to cut when needed results in more finished results than simply reducing costs under pressure.
In short, in today’s world there are myriad factors that can have an impact on the cyber security budget. Being aware of and prepared for new cyber threats and economic upheavals – from technological breakthroughs – ensures better results for business and for your cyber security organization.
This last time. was published in September 2022
Dig Deeper on Security Operations and Management
