Cybersecurity Budgeting Done Right: Five Steps

Cybersecurity Budgeting Done Right: Five Steps

My morning cybersecurity alert scan uncovered this gem by CPA Joel Lanz on how to budget for cybersecurity. He makes a lot of excellent points. My favorite is being able to document that you’ve deployed, used, and benefitted from your previous investments in cybersecurity technology. Many infosec pros fail to do this, and it’s table stakes for being able to ask for anything else.

Lanz’s piece also inspired me to pass along Nemertes’ own research on the topic. As part of our 2016/2017 Security and Risk Management Benchmark and Security Model, we’ve been able to document key best practices that objectively correlate with maturity and effectiveness of cybersecurity organizations. Herewith, as we head into budgeting season:

  1. Start with a risk-based approach to setting the budget. Too often, infosec professionals ask questions like “How much of my IT budget should I be spending on security? What are other companies like mine doing?” The right answer: “Who cares?” There are two problems with this approach. First, infosec budget should be orthogonal to IT budget. It’s irrelevant how much you’re spending on IT; what matters is what resources you’re seeking to protect, and how vulnerable they are. Second, other companies may not have your risk tolerance, or be at your level of investment, even if they’re in the same industry. A compny that’s been steadily investing over the years may need less of an investment in 2017 than you do; similarly, a more risk-averse company may reuqire more. If that doesn’t convince you, be aware that security organizations that take a risk-based approach to investing do a significantly better job than their peers. For more on how to set a risk-based budget, see “Taking a Business Risk Portfolio Approach to Cybersecurity”. 
  2. Invest in the bellwether technologies that are right for you. More isn’t better–not when it comes to cybersecurity investment. As part of our security benchmark and maturity model, Nemertes identified nine key bellwether technologies that leading-edge companies are more likely to be deploying than their less-mature peers. But here’s the key: Not every company needs an equal investment in all technologies. We recently wrapped up a security assessment of a financial services firm that had adopted a highly disciplined approach to investment. I was pleasantly surprised to see they had a 100% binary approach to bellwether technologies: The ones that fit, they’d already rolled out, and they had zero interest in pursuing technologies that weren’t a fit. That’s how it should be done.
  3. Take an ecosystem-based approach to cybersecurity.  Big companies want to tell you they can do it all: protect your infrastructure and applications from soup to nuts. They can’t. It’s okay to work with a handful of strategic partners, but be sure to agument them with up-and-coming vendors that provide the right unique capabilities for your organiztion. And above all, select products that integrate seamlessly and easily into your existing and future organization.
  4. Don’t forget the non-technical investments. I’ve written here and here about the importance of training and user awareness, just two examples of non-technology investments that a mature organization should be making on an ongoing basis. It’s too easy for these critical areas to be either ignored or subjected to a hot-potato debate with HR over who owns responsibility for infosec training: “It’s your issue, HR! No, it’s yours, infosec! No, yours!” Training is just one area. Many infosec organizations also neglect paper exercises like developing an architecture and roadmap—to their eventual dismay.
  5. Clarify who owns what. Speaking of hot-potato debates, you need to be clear on what technologies, products, and solutison are covered in which department. In many organizations, IT (not infosec) owns the purchase of firewalls and firewall services. That’s fine, and in fact there’s no right answer to the question of “who should own what”. However–make sure that necessary technologies and processes that aren’t a line item in your budget are, in fact, a line item in someone else’s. You’d be surprised how often things fall through the cracks.

Hopefully, these five steps are enough to get you started on setting your 2017 cybersecurity budget. If you’re looking for additional help, you know where to find us!