It's August; Let's Talk Budgets

Posted on by Fahmida Y. Rashid

The year's halfway mark has just passed, which for many information security professionals means it's time to think about the end of the year and plan for next year. This month, we will talk about what this halfway point means for current security initiatives and how they affect upcoming budget discussions.

It's never too early to evaluate the status of existing projects and initiatives and to plan out next year's budget. Budget planning, after all, is not a one-day task. Before the security manager can submit a budget outlining their plans for new purchases, ongoing deployments, and operational costs for the next year, we need a honest review of how this year’s budget was used.

It's important to be regularly assessing the status of existing projects and initiatives. Consider all the capital investment initiatives underway for this year, and determine whether they are complete, on schedule or as often happens with large projects, delayed due to some unforeseen complexities. Examples of these initiatives include the financial services upgrading to Chip & PIN, enterprises migrating XP systems, and healthcare organizations updating to newer technologies to incorporate electronic health records.

Perhaps there were unanticipated expenses this year, such as needing to respond and resolve a data breach, or even dealing with a major vulnerability. No one anticipated Heartbleed, and for many organizations, remediating the servers to close the OpenSSL flaw wasn’t cheap.

One of the biggest challenges for security professionals about budget review and planning is articulating what the funds are being used for, the benefits gained, and what goals are being achieved. For example, if the project underway was to move internal Websites to use the secure HTTPS protocol, be prepared to explain why this was important and justified the amount of money spent. It's easier to just say "because we have to," or "it's more secure," but that means nothing to the non-security side of the organization. Being able to explain past spending is half the battle in getting new spending projects approved.

Towards the end of last year, 41 percent of respondents in a Tech Pro Research survey said they planned to increase their IT security budgets for 2014. Only 11 percent planned to decrease their security budget. The sample size—a mere 244 IT professionals from around the world and organizations of all sizes—is small, but it does give us a place to start this conversation.

There are many questions to consider, and this month, we will touch on a few of them. How does the security team differentiate between what projects they want and what they need to undertake? What are the managers and lines of businesses focused on and how does it translate to organization’s security posture? Are security professionals discussing their wishlists with their compliance teams, operations staff, and other partners?

Let’s understand what we spent money on this year and what it's doing before we talk about what we want to do next year.

That's not to say this month is all about budget planning and review. We will bring you insights from security pros like you about major news events, the threat landscape, and securing our networks and data. We will even check out what people are saying at the annual Black Hat conference.

As always, we welcome your ideas. If there is something you would like to hear from your peers on, or a topic you would like some information on, let us know. Post on Twitter to @RSAConference, reach out to us via social media, or just comment below.

Fahmida Y. Rashid

Information Security Journalist, Editor-in-Chief, RSA Conference

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community