In an article “Looking for a Magic Number”, Kim S. Nash of the The Wall Street Journal’s WSJ Pro Cybersecurity newsletter (subscription required) writes that “everyone wants a gauge but none exists” to set a cybersecurity program budget.
Nash cites a survey of 21 industries by Gartner that found an average spend of 6% of total technology budget on cybersecurity tool and services in 2018 (up about 5.5% over 2017). Financial services spent an average 7.3%, retailers 6.1%, health care 5% and manufacturing 4.5%.
But as Sam Olyaei, a senior principal analyst at Gartner tells The Journal, the average is “a benchmark to get people started. It is by no means supposed to indicate what you’re supposed to be spending.”
To get specific on a budget, “dive in and look at individual business programs,” Olyaei says. “Identify what technologies are related to that process and which people, what kind and how many are helping run that process. Then do a risk assessment.”
That requires a CISO to “know the business mission and vision of the company. Translate everything you do from a security perspective to a business perspective. Assign an operational value to it, a financial value to it, a customer satisfaction value to it. That’s hard, but tell that story.”
CISOs running a security program grounded in Factor Analysis of Information Risk (FAIR)and operationalizing FAIR through the RiskLens platform know how to tell that story: In the financial language of value at risk that the rest of enterprise risk management runs on.
In a blog post Win the Infosec Budget Cycle: A Short Guide for CISOs, Steve Tabacek, the cofounder and President of RiskLens, lays out a FAIR-based approach for CISOs that shows the steps beyond “know the mission” that are possible for organizations running a consistent model for risk analysis.
Next steps are to identify the organization’s top risk themes, and for each theme establish the risk in monetary terms as a range of probable annualized loss exposure (Read What Does RiskLens Reporting Tell Me?)