Getting the InfoSec Budget You Need

Posted on by Fahmida Y. Rashid

CISO ThoughtThere is a tongue-in-cheek saying that goes something like this: How do security professionals get the security budget they want? Wait for a data breach. It's a sad state of affairs that there is a grain of truth to this poor joke. This month, we explore how security professionals can tackle budget planning for next year.

Security spending as a percentage of the overall IT budget has remained stalled at 4 percent or less for the past five years, according to the latest Global State of Security report from PwC. Security budgets are shrinking in some industry segments, forcing security professionals to fight off increasingly sophisticated attacks with less funds for firefighting, according to the report.

One way security professionals can get the funding they need to protect the organization is to learn how to describe ways they support business in its strategic initiatives. Many business executives struggle with understanding IT security's spending plans as well as why the projects should be prioritized. Infosec folks who treat the budget as more than just a spreadsheet by explaining the rationale for proposed projects and clarifying operating expenses and maintenance make security easier to evaluate and understand.

But focusing on just the IT security budget is tremendously shortsighted. As IT becomes a key component of all business initiatives, it is becoming a part of those budgets as well, Gartner said recently in its Every Budget is an IT Budget report. The security professional should sit down with each line of business and ask about planned initiatives, technology requests, and strategic goals. This is the time to raise security concerns so that business managers can allocate the necessary time and costs to handle those questions. The last thing a software development company wants to hear is that a product won't ship on time because the application didn't undergo security testing, for example. The security manager is in a unique position to influence budget and project plans for other business units by bringing up security issues earlier in the cycle.

"Over time, IT has graduated from being a support tool to being a business enabling and a business creation tool," Cassio Dreyfuss, research vice president at Gartner, told Help Net Security. "Under that much broader and inclusive perspective, it makes more sense to talk about IT-related expenditures in each and every business initiative and respective budget."

At a recent CSO lunch, a security executive from a pharmaceutical company described security spending as a form of insurance. He wasn't talking about cyber-insurance or liability insurance to cover the cost of a data breach or cyber-attack. Rather, his point was that sometimes, there is no immediate result from spending money on security. Perhaps the effect will be felt only after a data breach—because there will be tools on hand to detect and mitigate the threat. Or maybe the benefit will be that certain attacks become unlikely—because all the websites are now using HTTPS.

There are plenty of questions to consider when planning out budgets. This month, we will touch on a few of them. How do you get the board and senior management to buy in to your vision? Can you explain each line item on the budget and articulate how each one benefits the company?

That's not to say this month is all about budgets. We will look at major news events, talk about startups, and discuss ways to protect our networks. The fact that October is Cybersecurity Awareness Month means it may be easier than usual to get a security-related conversation started. Don't lose the opportunity.

If there is something you would like to hear from your peers on, or a topic you would like some information on, let us know. Post on Twitter to @RSAConference, reach out to us via social media, or just comment below.

Fahmida Y. Rashid

Managing Editor, Features, Dark Reading

Business Perspectives

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community