Planning for next year's budget is stressful for everyone involved, but information security professionals have the added challenge of translating their requests into business risks to get senior management buy-in. Understanding how the threats and gaps in protection map to business risks will help streamline the first round of budget planning.
It is critical that you perform a full risk assessment before you start putting together all the numbers. The resulting budget must include people, processes, and technology. A risk assessment will help identify what is working and what isn't, and give you an idea of what you need to focus on.
“Ensuring your cybersecurity budget actually aligns with your organization’s needs cannot happen unless you’re looking at the risk landscape from all angles,” says Dave Ellison, CEO of SurfWatch Labs.
Security budgets average $4.3 million in 2014, compared to the $2.2 average budget in 2010, according to the Global Information Security Survey by PricewaterhouseCoopers from earlier this year. That average figure may feel a bit skewed for some, who may be thinking, “I wish I got that much for my budget.” The report's primary takeaway focused on the fact teams were funneling their spending to different areas. For example, 51 percent of the survey respondents said they were spending their budget on analyzing malware, compared to 41 percent on inspecting traffic leaving the network, 27 percent on deep packet inspection, and 21 percent on threat modeling.
That doesn't mean you should be adjusting your budgets to boost spending in the above categories. Security professionals need to focus on their organization's unique needs. What processes are currently in place and what technologies have you deployed? What compliance regulations apply to your organization? These questions help you understand risk.
However, it's important to also look outside the organization, suggests Ellison. Security professionals need to look at the top cyber issues and trends in their industry, and consider the impact they have. They need to consider how current expenditures compare to the prevailing threats and figure out whether they are underspending, overspending, or spending just enough. Looking at what similar companies in their industry are going through can provide a lot of insights when considering the “What if” scenario.
For example, security professionals at financial services organizations have to consider the impact of a distributed denial of service against their networks when thinking about risk. Security teams at retailers must consider how their security initiatives line up against the current wave of credit-card data breaches.
Risk assessment is not just about what is inside the organization, but outside, as well, Ellison says.
Every item in the budget can be categorized as must-have, want-to-have, or need-to-have. To determine what bucket each item falls into, you can consider how each of these items reduces organizational risk and impact, whether there are any low-cost alternatives, and what would happen if you didn't have them.
With a detailed risk assessment, security professionals can identify areas of overspending and shift the funds to other critical areas. “From a security strategy planning and budgeting perspective, this information is critical to ensure you’re taking the prudent steps to align your resources with the cyber risk areas that are prominent in your domain,” Ellison says.