Win the Infosec Budget Cycle: A Short Guide for CISOs

October 31, 2019  Steven Tabacek

For many of our customers, the fall brings the annual task of securing the next fiscal year’s budget. Most CISO’s don’t completely overhaul their budget every year. Even a new CISO or managing executive will have to deal with embedded systems, process, tenured employees, company culture, and regulatory environments that drive the foundation of a budget. Changes to most budgets are typically a few percentage points north or south of previous year allocations. 

Most CISOs I talk to describe an annual process of clawing for funds to support existing operations. The winners of the infosec budget competition enter the process with spending  proposals backed up by quantitative cyber risk analysis showing a return on investment in terms of risk reduction and support for the broader initiatives of the organization.  Risk quantification sets you up to make your pitch for budget in the dollars-and-cents terms that the rest of the business operates on.

Steve Tabacek is co-founder and President of RiskLens

The First Principle of Information Security Budgeting 

Each organization has a unique mission and the infosec and risk management budget should substantiate the resources necessary to identify critical organizational assets or business processes, associated threats, and appropriate levels of mitigating controls to effectively manage risk. Within the context of infosec and cybersecurity, effective risk management ensures ROI of mitigation resources.

In his blog post Cybersecurity spend: ROI Is the wrong metric, Rick Howard of Palo Alto Networks proposed a CISO’s First Principle definition as “Prevent material impact on my organization”.  I agree with his assessment. But no organization has unlimited resources.

Therefore, I suggest slightly modifying Rick’s definition to “ Efficiently prevent material impact on my organization.”

As Rick notes in his blog post, the purpose of quantifying risk and understanding ROI is not to generate revenue! ROI of existing maintenance contracts, projects, or for that matter any risk mitigation effort should only be evaluated for an effective and efficient use of resources to reduce material negative impact to the organization.

Where to Start?

Infosec budgets fall into three buckets:

  1. What are you are required to do? i.e. regulatory conformance   
  2. What should you do? Your fiduciary obligation is to “prevent material negative impact to your organization.”
  3. What internal and external conditions drive discretionary budgets? i.e. R&D 

I have known CISO’s who try to spread their budget across their domain like peanut butter spread evenly on a piece of bread. They want to ensure all areas such as threat intelligence, identity and access management, APT, DDoS mitigation, endpoint protection, phishing awareness, web malware prevention, cloud access security, and incident response have some coverage.

But that doesn’t meet the efficiency test. The depth of coverage for each one of these areas should be aligned to a formalized risk management approach.

Risk Management vs. Non-Risk Management Approaches to Budgets

The non-risk management approach typically asks two questions:

1. What are other companies in my industry spending?  

Wait…do you seriously believe:

  • Your firm’s revenue is the same as others?
  • Your firm's cost structure and budget are aligned with others?
  • Your firm has the same level of regulatory oversight?
  • Your Board of Directors and executive management share the same risk appetite and tolerance as similar firms?

It should not matter what other firms in your industry are spending! The focus should be to manage risk within the conditions of your firm.

2. What was last year’s security technology budget? I need at least that to support:

Renewal and maintenance of infrastructure asset contracts such as:

  • Devices such as servers, workstations, storage, VOIP, etc…
  • Apps supporting collaboration, interaction, and application workflow
  • Networks such as devices controlling traffic flowing securely throughout the organization
  • Data, securely storing and transporting data to intended users and applications
  • Operational expenses such as personnel, technology, and processes to support basic functions
  • Audit and compliance visibility, assessment, and reporting expenses
  • New projects or initiatives based on what was learned at this past year’s conferences

In most cases, last year’s budget is a foundation on which the organization has grown accustomed to spending, and it’s highly unlikely that anyone will want to re-architect the entire budget.

The reality is that your next budget will move north or south of the current budget and it’s your job to determine how to more effectively allocate your budgeted resources.

Take a Risk Management Approach

Compliance – Must do, no choice (most of the time):

  • Many organizations operate in a regulatory environment and should manage the positive and negative aspects of audits and compliance.
  • It’s not about checklists or controls, but instead about risk management. Turn this task into “improving compliance conformance to better manage critical asset risk”. It's about getting into compliance with the tasks that reduce risk the most, not just going down a technical checklist.
  • Many firms are able to debunk risk ratings, negotiate removal of findings from reporting, or accept the risk associated with compliance findings after proving that the compliance requirement has no risk management benefit.

Know the Business and manage the risk:

  • Know the strategic objectives of the business and the people, technology, and processes supporting the most important functions of the business.
  • Only then identify the organization's top risk themes. For each risk theme, know:
      • Annualized loss event (probable loss event frequency and loss magnitude)
        • The executives within your organization should determine whether to focus on single loss event or annual loss event analysis resultsSingle loss magnitude (risk expressed in monetary terms for a single loss event)
      • Risk quantification should focus on an accurate distribution of outcomes, therefore it’s important that executives understand when to focus on minimum, 10%, average, 90%, or maximum loss event frequency and magnitude.
    • Interpreting analysis results within the rules established will ensure consistency and an apples-to-apples comparison.
      • E.g. Technology risk or cybersecurity insurance may focus on the 90th or maximum percentile of one or more Single-Loss-Events.
      • Prioritizing capital and human resource mitigation efforts may focus on the Annualized Loss Exposure (ALE).

Maintenance of Existing Systems: Justify ROI of top cyber tool maintenance contracts

  • Pick the top-10 annually renewing cyber tool contracts and analyze ROI of these investments.
    • How much does the cyber tool reduce material impact to the organization?
    • Are you spending $1M annually to protect a lower value asset or business process?

Projects: Justify ROI of top security initiatives such as:

  • Moving payment system to the cloud
  • Outsourcing payroll to a new external vendor
  • Widespread adoption of encryption at rest, ...or not
  • Adoption of a DLP solution
Call it a risk management approach or a business-aware approach, set up now to win the next budget cycle with a solid plan to maximize whatever resources you can claw your way when the funding comes up for grabs.
The RiskLens Platform equips business-savvy CISOs with the solid data they need to build risk-management-oriented budgets.