In the years before business leaders truly understood cyber risk, requested budgets for cybersecurity departments were often approved without thoughtful consideration or review. There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.” Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems. The funds were to be spent, generally, on products and the staff to support them.
CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity. The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire-building, or opportunities to buy the trending tools. Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs.
Two Components of a Successful Budget Request
1: Funds to Close Compliance Gaps
Businesses understand the language of compliance. Regulatory gaps and deficiencies can prevent companies from entering markets, and have a real impact on the organization’s ability to win and retain contracts. By tying budget line items to specific compliance gaps, CISO’s can implement short and long-term projects to remediate the deficiencies and show actual value through compliance achievements. If in addition to compliance gains, those funds also help grow the maturity of the security organization as a whole, great. Use compliance requirements to make smart budgeting requests that both close gaps and advances the security mission.
2: Operational Metrics and Staff Utilization
You cannot request additional funds to hire more full-time security employees without data to substantiate them. Imagine a CIO replying to your ambiguous request for staff with, “You already have 6 people, why should I give you money to hire 4 more?” Smart CISO’s measure the workload of their employees through metrics and reporting to justify the need for more support. By tracking the number of incidents an analyst investigates daily, hours supporting business initiatives, or vulnerability tickets closed per month, a security organization can prove, empirically, that they are understaffed for the processes they need to support. By measuring full-time employees vs. the tools and tasks they are assigned to daily, the conversation now changes to, “We have requirements and tasks for a staff of 10, and I only have 6.”
The data that you are collecting this year will support your budget request in the upcoming fiscal year. Security budget requests demand a level of rigor and proof commensurate with other parts of the business. Security assessments and security program development help you obtain and understand your compliance gaps as well as your staffing utilization and operational needs. Take the time this year to independently assess your organization against industry standards and submit a security budget next year based on facts.
Don’t Know Where To Start?
CyberSheath’s Strategic Security Planning service offering can help you plan, build, and manage a strategic information security organization that enables your business. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance. Our Strategic Security Planning service will enable you to successfully create a security budget that directly matches your business needs and goals.