For many of our customers, the fall brings the annual task of securing the next fiscal year’s budget.
Most CISO’s don’t completely overhaul their budget every year. Even a new CISO or managing executive will have to deal with embedded systems, process, tenured employees, company culture, and regulatory environments that drive the foundation of a budget.
Changes to most budgets are typically a few percentage points north or south of previous year allocations. Most CISOs I talk to describe an annual process of clawing for funds to support existing operations.
The winners of the infosec budget competition enter the process with spending proposals backed up by quantitative cyber risk analysis showing a return on investment in terms of risk reduction and support for the broader initiatives of the organization. Risk quantification sets you up to make your pitch for budget in the dollars-and-cents terms that the rest of the business operates on.
Steve Tabacek is co-founder and President of RiskLens
Each organization has a unique mission and the infosec and risk management budget should substantiate the resources necessary to identify critical organizational assets or business processes, associated threats, and appropriate levels of mitigating controls to effectively manage risk. Within the context of infosec and cybersecurity, effective risk management ensures ROI of mitigation resources.
In his blog post Cybersecurity spend: ROI Is the wrong metric, Rick Howard of Palo Alto Networks proposed a CISO’s First Principle definition as “Prevent material impact on my organization”. I agree with his assessment. But no organization has unlimited resources.
Therefore, I suggest slightly modifying Rick’s definition to “Efficiently prevent material impact on my organization.”
As Rick notes in his blog post, the purpose of quantifying risk and understanding ROI is not to generate revenue! ROI of existing maintenance contracts, projects, or for that matter any risk mitigation effort should only be evaluated for an effective and efficient use of resources to reduce material negative impact to the organization.
Infosec budgets fall into three buckets:
1. What are you are required to do? i.e. regulatory conformance
2. What should you do? Your fiduciary obligation is to “prevent material negative impact to your organization.”
3. What internal and external conditions drive discretionary budgets? i.e. R&D
I have known CISO’s who try to spread their budget across their domain like peanut butter spread evenly on a piece of bread. They want to ensure all areas such as threat intelligence, identity and access management, APT, DDoS mitigation, endpoint protection, phishing awareness, web malware prevention, cloud access security, and incident response have some coverage.
But that doesn’t meet the efficiency test. The depth of coverage for each one of these areas should be aligned to a formalized risk management approach.
The non-risk management approach typically asks two questions:
1. What are other companies in my industry spending?
Wait…do you seriously believe:
It should not matter what other firms in your industry are spending! The focus should be to manage risk within the conditions of your firm.
2. What was last year’s security technology budget? I need at least that to support:
Renewal and maintenance of infrastructure asset contracts such as:
In most cases, last year’s budget is a foundation on which the organization has grown accustomed to spending, and it’s highly unlikely that anyone will want to re-architect the entire budget.
The reality is that your next budget will move north or south of the current budget and it’s your job to determine how to more effectively allocate your budgeted resources.
Compliance – Must do, no choice (most of the time):
Know the Business and manage the risk:
Maintenance of Existing Systems: Justify ROI of top cyber tool maintenance contracts
Projects: Justify ROI of top security initiatives such as:
Call it a risk management approach or a business-aware approach, set up now to win the next budget cycle with a solid plan to maximize whatever resources you can claw your way when the funding comes up for grabs.
The RiskLens Platform equips business-savvy CISOs with the solid data they need to build risk-management-oriented budgets.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.
We help organizations translate cyber risk from the technical into the economic language of business. Get your questions about cyber risk quantification answered.