For many of our customers, the end of summer also brings the annual task of securing the next fiscal year’s budget.
For budget considerations, I don’t know a single organization that re-architects their risk management or security program based on major philosophical changes. Even a new CISO or managing executive will have to deal with embedded systems, process, tenured employees, company culture, and regulatory environments that drive the foundation of a budget.
Changes to most budgets are typically a few percentage points north or south of previous year allocations. Most CISOs I talk to describe their annual process of clawing for funds to support existing operations.
The First Principle of Information Security Budgeting
Each organization has a unique mission and the infosec and risk management budget should substantiate the resources necessary to identify critical organizational assets or business processes, associated threats, and appropriate levels of mitigating controls to effectively manage risk. Within the context of infosec and cybersecurity, effective risk management ensures ROI of mitigation resources.
In his blog post Cybersecurity spend: ROI Is the wrong metric, Rick Howard of Palo Alto Networks proposed a CISO’s First Principle definition as “Prevent material impact on my organization”. I agree with his assessment. But no organization has unlimited resources.
Therefore, I suggest slightly modifying Rick’s definition to “Efficiently prevent material impact on my organization.”
As Rick notes in his blog post, the purpose of quantifying risk and understanding ROI is not to generate revenue! ROI of existing maintenance contracts, projects, or for that matter any risk mitigation effort should only be evaluated from an effective and efficient use of resources to reduce material negative impact to the organization.
Where to Start?
Infosec budgets fall into three buckets:
1. What are you are required to do? i.e. regulatory conformance
2. What should you do? Your fiduciary obligation is to “prevent material negative impact to your organization.”
3. What internal and external conditions drive discretionary budgets? i.e. R&D
I have known CISO’s who try to spread their budget across their domain like peanut butter spread evenly on a piece of bread. They want to ensure all areas such as threat intelligence, identity & access management, APT, DDoS mitigation, endpoint protection, phishing awareness, web malware prevention, cloud access security, and incident response have some coverage.
But that doesn’t meet the efficiency test. The depth of coverage for each one of these areas should be aligned to a formalized risk management approach.
Risk Management vs. Non-Risk Management Approaches to Budgets
The non-risk management approach typically asks two questions:
1. What are other companies in my industry spending?
Wait…do you seriously believe:
- Your firm’s revenue the same as others?
- Your firms cost structure and budget aligned with others?
- Your firm have the same level of regulatory oversight?
- Your Board of Directors and executive management share the same risk appetite and tolerance of similar firms?
It should not matter what other firms in your industry are spending! The focus should be to manage risk within the conditions of your firm.
2. What was last year’s security technology budget? I need at least that to support:
Renewal and maintenance of infrastructure asset contracts such as:
- Devices such as servers, workstations, storage, VOIP, etc…
- Apps supporting collaboration, interaction, and application workflow
- Networks such as devices controlling traffic flowing securely throughout the organization
- Data, securely storing and transporting data to intended users and applications
- Operational expenses such as personnel, technology, and processes to support basic operational functions
- Audit & compliance visibility, assessment, and reporting expenses
- New projects or initiatives based on what was learned at this past year’s conferences
In most cases, last year’s budget is a foundation in which the organization has grown accustomed to spending, and it’s highly unlikely that anyone will want to re-architect the entire budget.
The reality is that your next budget will move north or south of the current budget and it’s your job to determine how to more effectively allocate your budgeted resources.
Take a risk management approach:
Compliance – Must do, no choice (most of the time):
- Many organizations operate in a regulatory environment and should manage the positive and negative aspects of audits and compliance.
- It’s not about checklists or controls, but instead about risk management. Turn this task into “improving compliance conformance to better manage critical asset risk”. It's about getting into compliance with the tasks that reduce risk the most, not just going down a technical checklist.
- Many firms are able to debunk risk ratings, negotiate removal of findings from reporting, or accept the risk associated with compliance findings after proving that the compliance requirement has no risk management benefit.
Know the Business and manage the risk:
- Know the strategic objectives of the business and the people, technology, and processes supporting the most important functions of the business.
- Only then identify the organization's top risk themes. For each risk theme, know:
- Single loss magnitude (risk expressed in monetary terms for a single loss event)
- Annualized loss event (probable loss event frequency and loss magnitude)
- The executives within your organization should determine whether to focus on single loss event or annual loss event analysis results
- Risk quantification should focus on an accurate distribution of outcomes, therefore it’s important that executives understand when to focus on minimum, 10%, average, 90%, or maximum loss event frequency and magnitude.
- Interpreting analysis results within the rules established will ensure consistency and an apples-to-apples comparison.
- E.g. Technology risk or cybersecurity insurance may focus on the 90th or maximum percentile of one or more Single-Loss-Events.
- Prioritizing capital and human resource mitigation efforts may focus on the Annualized Loss Exposure (ALE).
Maintenance of Existing Systems: Justify ROI of top cyber tool maintenance contracts
- Pick the top-10 annually renewing cyber tool contracts and analyze ROI of these investments.
- How much does the cyber tool reduce material impact to the organization?
- Are you spending $1M annually to protect a lower value asset or business process?
Projects: Justify ROI of top security initiatives such as:
- Moving payment system to the cloud
- Outsourcing payroll to a new external vendor
- Widespread adoption of encryption at rest, ...or not
- Adoption of a DLP solution
Call it a risk management approach or a business-aware approach, set up now to win the next budget cycle with a solid plan to maximize whatever resources you can claw your way when the funding comes up for grabs.
The RiskLens platform equips business-savvy CISOs with the solid data they need to build risk-management-oriented budgets.