Creating a Budget and Optimizing the Money Spent.
Traditionally, there has been a lack of organizational focus on information security (IS) as a strategic priority. Where companies have focused on IS, however, the goal is usually achieving compliance as opposed to weaving IS into the organization’s overall strategy. With that in mind, creating and managing an IS budget is not an easy task. Tight budget constraints, ever-evolving threat vectors, emerging technologies, and changing compliance requirements combine to create a natural reluctance to focusing on IS on an annual basis. Most IS managers or executives use peer data or threat versus risk models to determine their budgets instead of employing a set percentage of the organization’s revenue.
Peer data is frequently seen as the most trusted source of budget information, but can be difficult to obtain as most enterprises consider such data confidential. And rightly so. However, if nothing else, peer data that is available can still be used to grab leadership’s attention and highlight IS as a budgetary necessity. Then, by using models to measure threats versus risks, organizations are more likely to allocate enough funds to mitigate those risks while ensuring the costs of the controls do not outweigh the costs of the risks.
According to a survey by Wisegate from 2013, the average organization allocated 7.5% of the overall information technology (IT) budget to IS. The average allocation fluctuated between industries, with the banking and financial services industry budgeting 10.4% and government entities budgeting 2.3%. This is likely due to regulation, as the banking and financial services industry is traditionally one of the more heavily regulated sectors.
According to a survey by the SANS Institute, the majority of enterprises are spending 4% to 6% of the IT budget on security, with those spending between 10% to 12% and 21% to 25% growing at an increasing rate. Further, the SANS Institute found that security budgets in 2016 are focusing on developing in-house skills to support application security, intelligence and analytics, and data security. Importantly, the surveys indicate that training and staffing are also among the top predicted spending areas. This data suggests that organizations are transitioning their focus from IS being merely an “IT problem” to an organizational imperative.
Over the last few years, it is clear that IS spending is on the rise. However, successful attacks are also on the rise. This implies, amongst other things, that: (1) malefactors and threat vectors continue to evolve faster than the means to stop them; and (2) the money being spent on IS is not being spent effectively. Many organizations make the mistake of simply buying the latest technology, whether or not it makes the most sense for their security initiatives. Organizational leadership, lacking the requisite legal and technical expertise, simply chooses to throw money at the problem, thinking that “something is better than nothing.” This mentality can be a critical error.
To optimize an IS budget, organizations should first focus on ensuring they have the right number of security personnel for the organization’s size and information profile. Simply, a large multi-national organization that transfers significant data between internal and external clients must have a larger cadre of security personnel than a regional mid-sized manufacturing company. Additionally, organizations must make certain that security personnel have the appropriate proficiency to accomplish the organization’s security goals. While hiring the right people seems easy enough, estimates demonstrate that there could be a 47% shortfall of qualified security professionals over the next few years. Thus, it is essential that enterprises focus on obtaining the right talent sooner rather than later.
To further optimize an IS budget, organizations should analyze potential hardware and software security solutions to verify whether the solutions meet the requirements for their particular security initiatives. Organizations need to assess whether mission-critical employees know how to use, maintain, and safeguard the current system, as well as any potential modifications or upgrades. If not, organizations must be able to identify the cost to appropriately train employees to do so. Also, despite the natural inclination to avoid allocating funds for something that may never occur, it is crucial that organizations budget for incident response. Despite spending money on preventative measures, even the best IS protocols are not foolproof. The probability of a successful attack is only increasing, so preparation for such an event cannot be overlooked or underestimated. Finally, employee training is vital across all departments within the organization. Training is often the most cost effective and practical countermeasure, as people are frequently exploited by malefactors to penetrate organizational defenses.
IS managers or executives need to have the right information in order to obtain buy-in for budgetary requests. They then must effectively communicate that information those holding the purse strings. According to a survey by the SANS Institute, the two most important business drivers behind security spending are: (1) protecting sensitive data; and (2) regulatory compliance. IS managers or executives should take a risk-based approach when addressing budget concerns. By focusing on the risks, organizations are forced to decide if they are willing to take or mitigate the risks. Without knowing and understanding the risks facing the organization, it is all too easy for bottom-line driven executives to ignore very real, and very serious, IS concerns.
If an organization chooses to not take a risk-based approach, then it is all the more important to accumulate correct data points to align the IS budget with the organization’s overall business needs. This can be accomplished by measuring the success of past improvement, ensuring compliance, enabling business objectives, and providing proof of improvements in incident counts and risk profile. IS managers or executives should also collaborate with other departments to ensure there is alignment between the various projects and resources throughout the organization.
Bad budgets happen to good people. However, it is important to remember that the IS threats to, and the legal requirements on, an organization do not disappear because the IS budget is not approved or is less than desired. Therefore, security personnel, including leadership, who are impacted by budgetary constraints must engage in creative and innovative thinking to make the most out of what is available for the organization’s IS concerns.
1. Wisegate, CISOs Discuss Best Ways to Gain Budget and Buy-in for Security, 2013, http://www.wisegateit.com/resources/downloads/wisegate-strategic-budgeting-report.pdf.
2. George V. Hulme, How to optimize your security budget, CSO ONLINE, May 12, 2015, http://www.csoonline.com/article/2153713/security-leadership/how-to-optimize-your-security-budget.html.
3. Joseph Granneman, What are the best approaches for security budgeting?, TECHTARGET, January 2015, http://searchsecurity.techtarget.com/answer/What-are-the-best-approaches-for-security-budgeting.
4. Joseph Steinberg, Are You Spending Your Information Security Budget On The Wrong Technology?, FORBES, May 3, 2015, http://www.forbes.com/sites/josephsteinberg/2015/05/03/are-you-spending-your-information-security-budget-on-the-wrong-technology/ – 5953b82532cd.
5. Barbara Filkins, IT Security Spending Trends, SANS INSTITUTE, February 2016, http://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697.
ICKES \ CALHOUN \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ CALHOUN \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.