It’s very easy to create a laundry list of new, exciting ways to spend a cybersecurity budget. Every business is different, but assuming the cybersecurity challenges are known, there are many solutions for almost every problem, each with a varying level of total cost from “cheap” to “extortionate”.
Like Parkinson’s Law (“work expands so as to fill the time available”), cybersecurity solutions can easily expand to consume every last bit of budget allocated to them. So rather than working out how to spend whatever is in the budget, the challenge is how to get the right amount of budget allocated in the first place.
Cybersecurity needs its own budget reporting line
Experience has shown that in organizations which don’t place the right level of focus on it, security is one of the first areas to be restricted or cut due to cost, complexity or a “need to get the job done”. It’s a cultural thing. At board and corporate budget level, cybersecurity is about the reduction or avoidance of risk to data and operations, meeting compliance demands and supporting enabling technologies for operational improvement. Without the right budget, your security culture suffers.
Various estimates put cybersecurity spending at between 5% and 10% of the corporate IT budget; however it’s unclear how accurate this is because cybersecurity is rarely split out from the overall IT spend. Part of the challenge of defining “cybersecurity spending” is drawing the boundaries – for example, firewalls are security devices but are always included within the wider IT infrastructure spend.
Does cybersecurity include budget for people, technical training and external subject matter expert consultants? Does the organization structure require the security group to deliver solutions, as well as architect them? Does it include security awareness programs for all staff? So on and so on.
Not clearly splitting out the cybersecurity spend creates a lack of clarity
Business risks are managed at board level. Cybersecurity risks are a key element of those and therefore need to be managed as such. Addressing cybersecurity risks will have a cost, and that cost must be explicit and approved. Simply defining the needs and risks and then expecting the IT budget to “handle their mitigation” doesn’t set the right level of focus or investment, or foster success.
Organizational design is also an important factor. If the group responsible for cybersecurity sits within the IT function, then understandably the cybersecurity budget – once clearly defined – will be included into the budget allocation for that function when viewed at board level. However, once included, it is important to ensure a degree of “ring fencing” is enforced to avoid budget erosion during the inevitable negotiation and trimming process.
Regardless of the mechanisms and processes used, the result must be a clearly defined budget, sized to address the needs and risks, allocated to the right group. That group must have a clearly defined remit, supported and championed at senior management level, to ensure the ongoing security (Confidentiality, Integrity and Availability) of the business. This is where the role of the CISO comes in.
How much is enough?
The key is defining “enough” budget. This comes back to understanding business risk tolerance and the challenge of calculating cybersecurity Return on Investment. A cybersecurity strategy must be tied into the corporate strategy, and corporate risk registers must link to cybersecurity risk registers.
Unless you know your business risks and how your technical risks align to them, you can’t define what risks are outside of tolerance and the cost should those risks manifest. If you don’t know what’s outside your corporate risk tolerance, and how far it falls outside, you don’t know what actions are required to bring them into tolerance.
If you don’t know what’s required, you don’t know how much it will cost to remediate and therefore, you don’t know how much budget to allocate. Finally, to close the loop, without defining that budget and understanding the cost if risks manifest, calculating cybersecurity ROI is significantly more challenging.
The fact is that departments are often required to prepare their budgets in isolation. So, to give cybersecurity the attention it needs, the cybersecurity risks and needs should be clearly articulated in a way that aligns to business objectives. Simply saying “we need to implement solution X because of security problem Y” retains that isolation.
It is usually inadequate because, for example, the technical justification for a million-dollar network access control solution won’t be understood at board level regardless of how essential it may be.
The conversation should be reoriented by placing the need in terms of business risk – “need Y is important because of compliance requirement Z, which results in a fine and reputational damage valued at N” – or business improvement – “need Y allows us to improve efficiency and reduce cost, for a saving of N“ – and then providing the solution. Quantifying cybersecurity ROI in this way – the cost of solution investment versus the potential cost of security incidents if no action is taken – supports a factual conversation that is better understood at board level and across the business.
Demonstrating how security supports business objectives as an enabler is key; and the CISO role is that point of translation to champion security considerations at senior levels within the business. If this is executed poorly, the whole organisation suffers. However, if done effectively, a cybersecurity culture can flourish, supporting the organisation to deliver to its full potential.
If you would like to speak to Ian Kayne, please email firstname.lastname@example.org