For many of our customers, the end of summer also brings the annual task of securing the next fiscal year’s budget.
For budget considerations, I don’t know a single organization that re-architects their risk management or security program based on major philosophical changes. Even a new CISO or managing executive will have to deal with embedded systems, process, tenured employees, company culture, and regulatory environments that drive the foundation of a budget.
Changes to most budgets are typically a few percentage points north or south of previous year allocations. Most CISOs I talk to describe their annual process of clawing for funds to support existing operations.
Each organization has a unique mission and the infosec and risk management budget should substantiate the resources necessary to identify critical organizational assets or business processes, associated threats, and appropriate levels of mitigating controls to effectively manage risk. Within the context of infosec and cybersecurity, effective risk management ensures ROI of mitigation resources.
In his blog post Cybersecurity spend: ROI Is the wrong metric, Rick Howard of Palo Alto Networks proposed a CISO’s First Principle definition as “Prevent material impact on my organization”. I agree with his assessment. But no organization has unlimited resources.
Therefore, I suggest slightly modifying Rick’s definition to “Efficiently prevent material impact on my organization.”
As Rick notes in his blog post, the purpose of quantifying risk and understanding ROI is not to generate revenue! ROI of existing maintenance contracts, projects, or for that matter any risk mitigation effort should only be evaluated from an effective and efficient use of resources to reduce material negative impact to the organization.
Infosec budgets fall into three buckets:
1. What are you are required to do? i.e. regulatory conformance
2. What should you do? Your fiduciary obligation is to “prevent material negative impact to your organization.”
3. What internal and external conditions drive discretionary budgets? i.e. R&D
I have known CISO’s who try to spread their budget across their domain like peanut butter spread evenly on a piece of bread. They want to ensure all areas such as threat intelligence, identity & access management, APT, DDoS mitigation, endpoint protection, phishing awareness, web malware prevention, cloud access security, and incident response have some coverage.
But that doesn’t meet the efficiency test. The depth of coverage for each one of these areas should be aligned to a formalized risk management approach.
The non-risk management approach typically asks two questions:
1. What are other companies in my industry spending?
Wait…do you seriously believe:
It should not matter what other firms in your industry are spending! The focus should be to manage risk within the conditions of your firm.
2. What was last year’s security technology budget? I need at least that to support:
Renewal and maintenance of infrastructure asset contracts such as:
In most cases, last year’s budget is a foundation in which the organization has grown accustomed to spending, and it’s highly unlikely that anyone will want to re-architect the entire budget.
The reality is that your next budget will move north or south of the current budget and it’s your job to determine how to more effectively allocate your budgeted resources.
Take a risk management approach:
Compliance – Must do, no choice (most of the time):
Know the Business and manage the risk:
Maintenance of Existing Systems: Justify ROI of top cyber tool maintenance contracts
Projects: Justify ROI of top security initiatives such as:
Call it a risk management approach or a business-aware approach, set up now to win the next budget cycle with a solid plan to maximize whatever resources you can claw your way when the funding comes up for grabs.
The RiskLens platform equips business-savvy CISOs with the solid data they need to build risk-management-oriented budgets.