When Budgeting for Information Security, Know Thyself
Why write an article on budgeting for information security when everyone is talking about cyber budgets expanding? While it is true that many information security budgets are expanding, it is important to examine the significance of budgeting in the success of an information security program. Whether budgets are growing or shrinking, the importance of budgeting wisely remains constant. An information security program’s budget should adhere to the “Goldilocks” principle of just right, not too big and not too small. It must include allocations for people, technology, and training.
Your information security budget shows your organization’s vision, prioritization, and the importance placed on information security. Any consultant worth their salt should be able to walk into an organization, review the information security budget and gain a good understanding of where things are, what the risks are, where the organization is weak, and where they are going. It should spark questions like, is this organization’s information security program stagnant or dynamic? Is information security a priority? Too many organizations treat budgeting for information security as an afterthought or a footnote in the broader IT budget. “Just give them what they got last year and add one percent” does not cut it in today’s world. It is important to understand that budget growth does not equal success or an improvement in security. Sometimes a smaller budget means that efficiencies have been realized and an information security program has actually improved. Larger, overly ambitious budgets may indicate a program that is overreaching.
When budgeting for information security it is important to know thyself. A CISO must know the organization’s size, business mission, mission critical systems, risk acceptance, threat landscape, capabilities, weaknesses, and expertise. There are an array of factors that go into building an information security budget that it can be a daunting task. It is no wonder that many organizations do a poor job at budgeting for information security or just wing it altogether. The budget must also be flexible because the nature of information security is dynamic and therefore may require wholesale changes to address an emerging threat. As Mike Tyson said, “Everybody’s got plans…until they get hit.” It applies to boxing just as it applies to an information security program. In knowing thyself, it is also important to know your budgeting process. Is it slow and arcane or is it quick and nimble. The federal government budgeting system is very slow and cumbersome whereas a small enterprise with a flat management structure may be highly nimble. While a large organization may have more largesse for information security tools and personnel, by comparison, a smaller, more nimble organization may be much more secure.
When budgeting for your information security program be cognizant of the fact that not all vendors keep up with the dynamic nature of the industry. Tools that were a necessity two years ago may be obsolete today. Organizations blindly renew vendor licenses year after year without assessing whether the tools are still relevant for their environment. CISOs should be constantly assessing the value added for each vendor tool and service and make budget decisions based on the assessment results. There are excellent open source security tools available provided you have the expertise to implement, configure, and run them effectively. A cost cutting move to open source may require some investment in personnel and training in order to be successful. Organizations that purchase new tools without increasing manpower or expertise may find those tools sitting on the shelf indefinitely.
Your budget is your information security roadmap. A CISO has few responsibilities that are more important than fighting for budget dollars and setting a clear budgetary course for the information security program. While budgets are not infinite, it is important to weigh the needs of operating and maintaining current toolsets, investing in and adding personnel, and investing in new tools and capabilities. Budgets can become a vortex of firefighting wherein tools and capabilities are added to address past vulnerabilities but do not consider the direction in which threats and risks are moving. In this scenario budgets are allocated to address past threats while ignoring current trends.
Your information security program budget should be a top priority of the CISO. It requires planning and a strategic focus. It is important to have a CISO that is not too corporate and not too in-the-weeds technical so that the budget reflects a clear direction and makes sense for the organization’s mission, capabilities, and size. It is critical to invest in personnel to move your information security program forward whether it is to increase manpower or expand capabilities. Most importantly, when budgeting for information security, know thyself.
Dan Emory is the Director of the Information Security Practice at Qivliq Federal Group. Qivliq Federal Group is one of nearly 40 companies held by NANA Development Group—a company owned by the Iñupiat people of northwest Alaska.