Wolfilser - Fotolia
The reasons for adding cybersecurity to an organization's annual budget are clear by now. But how a CISO allocates and justifies that budget is never quite as straightforward. Unlike marketing, sales, engineering and support -- where the ROI can be more easily explained -- the math of cybersecurity's ROI is not simple. However, with the costs and occurrences of data breaches rising by the minute, securing budget and ensuring it is spent appropriately are more critical for today's CISO than ever before.
Creating a cybersecurity budget breakdown
The amount of money allocated to cybersecurity varies widely. As such, it's difficult to determine an amount or percentage CISOs should request, as it depends on industry and from organization to organization.
When it comes to allocating the cybersecurity budget, there are generally four main categories to consider:
- Compliance. Certain compliance regulations dictate security budget allocations. In the healthcare sector, for example, HIPAA defines data privacy and security requirements to protect individuals' medical records and other personal health information. To meet these requirements and avoid potentially hefty fines, CISOs must spend budget on particular tools and technologies. For the HIPAA example, this includes focusing on data classification, encryption and lifecycle management.
- Ongoing existing risk assessments. Proactive CISOs must continually monitor the efficacy of security controls in their environments and calibrate that against prevalent attack vectors. If risks go above the previously agreed-upon thresholds, CISOs will need to evaluate the threat and either discuss the risks with management to seek further budget or budget reallocation or to agree to accept the higher risk levels. Tools and services to budget for in this category include cyber insurance, penetration testing, bug bounty initiatives and incident response.
- Ongoing security training. Cybersecurity awareness training is no longer an item on an annual mandatory compliance checklist. It is imperative that every employee and contractor is included in making this an ongoing effort. Using public shaming or fear to "motivate" employees is also not a panacea. Instead, security training needs to be memorable and fun. Forward-looking CISOs should partner with their colleagues to make this a frictionless yet beneficial exercise.
- New business initiatives. Any sort of new business initiative adopted across a CISO's company must be assessed and have security budget applied to it, if applicable, to ensure the business and its customer remain secure. For example, marketing departments may outsource content creation to a third-party provider overseas, or customer support may decide to store all customer support cases in a cloud storage platform. Both of these scenarios present additional risks, which must be addressed by CISOs and security teams prior to implementation.
How much is allocated to each category depends on a variety of factors. New compliance mandates could increase spending in that category for a given year -- for example, CCPA went into effect in January 2020, with enforcement going into effect in July 2020. Alternately, a new investor or CEO could alter the organization's risk appetite, causing a corresponding increase or decrease in overall security investment that could cause the CISO to reallocate the category's spend.
Cybersecurity budget best practices
Understanding the present and planning for the future are essential to help CISOs manage their budgets more effectively. The following three steps should give a CISO a good handle on budget allocation and justification:
- Understand how budget is being allocated currently. Create a complete inventory of existing products and services, along with the daily, monthly and annual spend for each. Before the advent of cloud and the subscription-based model, this was a more straightforward exercise. Nowadays, with on-demand procurement and commissioning, this task takes much more effort. Note, this needs to be done periodically -- not at the annual renewal event where vendors will want you to sign the contract with the renewal deadline looming.
- Monitor, monitor, monitor. After conducting a complete inventory, put procedures in place to constantly monitor the efficacy of tools and services, along with processes to fine-tune, reconfigure or even turn them off if needed. Remember, product value and renewal cannot be based on activity or lack thereof. Some products maybe battle tested every day -- such as phishing protection -- so their need is justified, whereas other products, such as distributed denial-of-service or ransomware attack defense systems, may not see use for months, if ever. Look at industry statistics and competitors that have been targets for help deciding a product or service is worth turning off. This step is also an opportunity to assess newer and more cost-effective products or services -- when there is no activity, a swap-out may be less risky.
- Become a storyteller, advocate and confidant. As fellow colleagues across lines of business and functions seek to drive efficiency and drive revenue and engagement, the CISO can be an invaluable resource. For example, CISOs could run a full risk report on current products and services used in a particular department in their organization and use that as a stimulus to have their colleagues not only understand the effects a potential attack on those products or services could have, but to also show them how to reduce those potential risk effects. This exercise also makes for a more cost-efficient and forward-thinking approach for CISOs and their colleagues alike.