Need Your Security Budget Approved? Two Components to Increase Success

By Eric Noonan • February 17, 2016

In the years before business leaders truly understood cyber risk, requested budgets for cybersecurity departments were often approved without thoughtful consideration or review.  There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.”  Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems.  The funds were to be spent, generally, on products and the staff to support them.

CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity.  The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire-building, or opportunities to buy the trending tools.  Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs.

Two Components of a Successful Budget Request 

1: Funds to Close Compliance Gaps

Businesses understand the language of compliance.  Regulatory gaps and deficiencies can prevent companies from entering markets, and have a real impact on the organization’s ability to win and retain contracts.  By tying budget line items to specific compliance gaps, CISO’s can implement short and long-term projects to remediate the deficiencies and show actual value through compliance achievements.  If in addition to compliance gains, those funds also help grow the maturity of the security organization as a whole, great.  Use compliance requirements to make smart budgeting requests that both close gaps and advances the security mission.

2: Operational Metrics and Staff Utilization

You cannot request additional funds to hire more full-time security employees without data to substantiate them.  Imagine a CIO replying to your ambiguous request for staff with, “You already have 6 people, why should I give you money to hire 4 more?”  Smart CISO’s measure the workload of their employees through metrics and reporting to justify the need for more support. By tracking the number of incidents an analyst investigates daily, hours supporting business initiatives, or vulnerability tickets closed per month, a security organization can prove, empirically, that they are understaffed for the processes they need to support.  By measuring full-time employees vs. the tools and tasks they are assigned to daily, the conversation now changes to, “We have requirements and tasks for a staff of 10, and I only have 6.”

The data that you are collecting this year will support your budget request in the upcoming fiscal year. Security budget requests demand a level of rigor and proof commensurate with other parts of the business.  Security assessments and security program development help you obtain and understand your compliance gaps as well as your staffing utilization and operational needs.  Take the time this year to independently assess your organization against industry standards and submit a security budget next year based on facts.

Don’t Know Where To Start?

CyberSheath’s Strategic Security Planning service offering can help you plan, build, and manage a strategic information security organization that enables your business. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance.  Our Strategic Security Planning service will enable you to successfully create a security budget that directly matches your business needs and goals.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO