When Budgeting for Information Security, Know Thyself
Why write an article on budgeting for information security when everyone is talking about cyber budgets expanding? While it is true that many information security budgets are expanding, it is important to examine the significance of budgeting in the success of an information security program. Whether budgets are growing or shrinking, the importance of budgeting wisely remains constant. An information security program’s budget should adhere to the “Goldilocks” principle of just right, not too big and not too small. It must include allocations for people, technology, and training.
Your information security budget shows your organization’s vision, prioritization, and the importance placed on information security. Any consultant worth their salt should be able to walk into an organization, review the information security budget and gain a good understanding of where things are, what the risks are, where the organization is weak, and where they are going. It should spark questions like, is this organization’s information security program stagnant or dynamic? Is information security a priority? Too many organizations treat budgeting for information security as an afterthought or a footnote in the broader IT budget. “Just give them what they got last year and add one percent” does not cut it in today’s world. It is important to understand that budget growth does not equal success or an improvement in security. Sometimes a smaller budget means that efficiencies have been realized and an information security program has actually improved. Larger, overly ambitious budgets may indicate a program that is overreaching.
When budgeting for information security it is important to know thyself. A CISO must know the organization’s size, business mission, mission critical systems, risk acceptance, threat landscape, capabilities, weaknesses, and expertise. There are an array of factors that go into building an information security budget that it can be a daunting task. It is no wonder that many organizations do a poor job at budgeting for information security or just wing it altogether. The budget must also be flexible because the nature of information security is dynamic and therefore may require wholesale changes to address an emerging threat. As Mike Tyson said, “Everybody’s got plans…until they get hit.” It applies to boxing just as it applies to an information security program. In knowing thyself, it is also important to know your budgeting process. Is it slow and arcane or is it quick and nimble. The federal government budgeting system is very slow and cumbersome whereas a small enterprise with a flat management structure may be highly nimble. While a large organization may have more largesse for information security tools and personnel, by comparison, a smaller, more nimble organization may be much more secure.
When budgeting for your information security program be cognizant of the fact that not all vendors keep up with the dynamic nature of the industry. Tools that were a necessity two years ago may be obsolete today. Organizations blindly renew vendor licenses year after year without assessing whether the tools are still relevant for their environment. CISOs should be constantly assessing the value added for each vendor tool and service and make budget decisions based on the assessment results. There are excellent open source security tools available provided you have the expertise to implement, configure, and run them effectively. A cost cutting move to open source may require some investment in personnel and training in order to be successful. Organizations that purchase new tools without increasing manpower or expertise may find those tools sitting on the shelf indefinitely.
Your budget is your information security roadmap. A CISO has few responsibilities that are more important than fighting for budget dollars and setting a clear budgetary course for the information security program. While budgets are not infinite, it is important to weigh the needs of operating and maintaining current toolsets, investing in and adding personnel, and investing in new tools and capabilities. Budgets can become a vortex of firefighting wherein tools and capabilities are added to address past vulnerabilities but do not consider the direction in which threats and risks are moving. In this scenario budgets are allocated to address past threats while ignoring current trends.
Your information security program budget should be a top priority of the CISO. It requires planning and a strategic focus. It is important to have a CISO that is not too corporate and not too in-the-weeds technical so that the budget reflects a clear direction and makes sense for the organization’s mission, capabilities, and size. It is critical to invest in personnel to move your information security program forward whether it is to increase manpower or expand capabilities. Most importantly, when budgeting for information security, know thyself.
Dan Emory is the Director of the Information Security Practice at Qivliq Federal Group. Qivliq Federal Group is one of nearly 40 companies held by NANA Development Group—a company owned by the Iñupiat people of northwest Alaska.
You may also be interested in:
- Is your decision making ruining your change program? The capability of leaders to make good decisions during times of change is critical.Decisions are taken to make progress. So if a leader’s decision making is ineffective, the […] Posted in Leadership
- Top 25 Most Enticing Beaches In America For 2015 The Siesta Key Public Beach, Sarasota of Florida ranked No. 1 on TripAdvisor's top 25 beaches in America, according to the results of its annual travel survey. Which U.S. State boasts the […] Posted in Leadership, Rankings
- World’s top 10 international tourism destinations based on foreign tourist arrivals, 2014 With 83.7 million tourists, France continued to top the ranking of the world’s top ten international tourism destinations based on foreign tourist arrivals, according to the latest figures […] Posted in Leadership
- Time for a New Look at Leadership The art of leading was never easy – and it seems to be getting harder all the time. Communication is faster, connection is greater, markets are global, and whatever action we take is part […] Posted in Leadership
- How to create your own app for nokia ovi store? Create your app for Ovi Store in minutes- Now anyone can create an app for Ovi Store in just a few minutes. It's fast. It's easy. And it's free. No programming skills are required and it's […] Posted in Rankings
- Mobile Commerce Lessons from the Trenches: A Travel Payments Expert Provides Tips, Tactics and Insights Over the last two decades, the mobile marketplace has evolved exponentially - from those very early days of the simple feature phone, when mobile access to the Internet was still a […] Posted in Growth Leaders
TKC Global is a technology solutions, program management and support company that collaborates with technology partners and the Federal Government to deliver IT, management, staffing, recruiting, contracting and logistics services. TKC Global's approach ensures faster time-to-benefit and maximizes clients' return on investment.