How To Justify Your IT Security Budget

January 15, 2019  Chris Bryant

Increased scrutiny on security spending

As IT security threats continue to increase, overall cybersecurity spending according to Gartner is projected to grow by 7.9% to $81.6 billion in 2016. Despite the increase, many organizations budgets are flat. After years of strong budget increases where CISOs got most of the people and the tools that they requested, board members and business executives are now asking to understand the value provided by such investments.

CISOs we speak to are telling us that their usual reporting based on threat and vulnerability trends, and maturity scores are not cutting it any more. They are starting to get questions such as "how much (cyber) risk do we have?" and "if we approve your budget, by how much will you reduce risk?".

Why traditional ways to justify security budgets do not cut it any more

There is a whole spectrum of methods traditionally used by CISOs to justify their security budgets:

  • Fear, Uncertainty and Doubt (FUD): Several CISOs still claim they do an effective job in scaring their boards into approving their requests, but after years of 'crying wolf' those tactics are proving less and less effective.
  • Benchmarking: Some CISOs use industry benchmarks (ex.: security budget as % of the IT budget) as a measure for their own spending. While those can be used as an informative reference point, will they reflect the particular needs of an organization?
  • Maturity ratings: An increasing number of CISOs have recently adopted scoring mechanisms to assess the maturity of their organizations against a set of best practices (ex: NIST CSF) and to show improvements on those scores based on their new investments.

The scoring mechanisms are qualitative in nature and can take the form of ordinal scales (1-5, 1-10), color codes (Red-Yellow-Green), or qualitative sizing (High-Medium-Low). While they do a good job in terms of assessing an organization's level of maturity and might be effective in providing high-level assessments to busy executives, they still fail to answer questions such as "how much should we spend given the risk we face?" or "what are the risk mitigations that reduce risk the most?"

This is a big problem: the persons that should be making and approving risk decisions, including how much to spend on cybersecurity, do not have the financial data available to make a well-informed and cost-effective decisions.

Allow me a brief diversion to make the point about cost-effective decision-making. Let’s say you went to your spouse to propose spending $80k on a new Tesla. You want to save money on fuel and this new electric vehicle is just "greener" than your current one. How would your spouse respond to this reasoning? Maybe the budget is infinite and he/she would just say yes.

But what if you were able to calculate how much fuel money you could save over the course of a certain number of years and were able to show a much smaller difference in price when all was factored in? That would make the new buying decision a much easier one. This is obviously a simplistic example and many other factors would influence your car buying decision, but I hope that you get the point regarding enabling cost-effective decision-making.

Cyber risk economics is here

This is what an increasing number of large organizations are doing today to justify their cybersecurity budgets. They are breaking down the problem into discrete factors to quantify their exposure to cyber risk in financial terms using the standard FAIR risk model and the RiskLens software.

Articulating cyber risk in financial terms and being able to show how the various security initiatives can drive risk down allows these CISOs to speak the language of the board and the business and make budgeting decisions much easier ones.

So, if you are struggling to prioritize and determine what initiatives should be part of next year's budget or need to justify out-of-budget expenditures, consider a better decision-making alternative than vague maturity scores or color codes.

Let us show you what the leaders in your industry are using for their cost/benefit analysis and budget planning. Take RiskLens on a 'test-drive' via a demo and a pilot project.