Need Your Security Budget Approved? Two Components to Increase Success

By Eric Noonan • February 17, 2016

In the years before business leaders truly understood cyber risk, requested budgets for cybersecurity departments were often approved without thoughtful consideration or review.  There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.”  Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems.  The funds were to be spent, generally, on products and the staff to support them.

CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity.  The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire-building, or opportunities to buy the trending tools.  Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs.

Two Components of a Successful Budget Request 

1: Funds to Close Compliance Gaps

Businesses understand the language of compliance.  Regulatory gaps and deficiencies can prevent companies from entering markets, and have a real impact on the organization’s ability to win and retain contracts.  By tying budget line items to specific compliance gaps, CISO’s can implement short and long-term projects to remediate the deficiencies and show actual value through compliance achievements.  If in addition to compliance gains, those funds also help grow the maturity of the security organization as a whole, great.  Use compliance requirements to make smart budgeting requests that both close gaps and advances the security mission.

2: Operational Metrics and Staff Utilization

You cannot request additional funds to hire more full-time security employees without data to substantiate them.  Imagine a CIO replying to your ambiguous request for staff with, “You already have 6 people, why should I give you money to hire 4 more?”  Smart CISO’s measure the workload of their employees through metrics and reporting to justify the need for more support. By tracking the number of incidents an analyst investigates daily, hours supporting business initiatives, or vulnerability tickets closed per month, a security organization can prove, empirically, that they are understaffed for the processes they need to support.  By measuring full-time employees vs. the tools and tasks they are assigned to daily, the conversation now changes to, “We have requirements and tasks for a staff of 10, and I only have 6.”

The data that you are collecting this year will support your budget request in the upcoming fiscal year. Security budget requests demand a level of rigor and proof commensurate with other parts of the business.  Security assessments and security program development help you obtain and understand your compliance gaps as well as your staffing utilization and operational needs.  Take the time this year to independently assess your organization against industry standards and submit a security budget next year based on facts.

Don’t Know Where To Start?

CyberSheath’s Strategic Security Planning service offering can help you plan, build, and manage a strategic information security organization that enables your business. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance.  Our Strategic Security Planning service will enable you to successfully create a security budget that directly matches your business needs and goals.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.