This blog post on developing a security program budget is part of a multi-part series on designing an information security program in alignment with your most important business objectives. You can also watch the webinar or listen to the podcast that accompanies each blog post for more ideas.
Security executive effectiveness hinges on the ability to lead organizational change. No vehicle is more essential to change than the almighty dollar. For that reason, there is no tool in your executive arsenal more important than the ability to develop an effective budget and see it through the approval process.
Unfortunately, many leaders at the helm of the security program are never given the responsibility to develop a budget or do not have the prior experience to develop one. This common gap in know-how can put the entire security program at risk. So, in this post, we will discuss some of the basics involved in developing a security program budget and shepherding through the approval process.
Why You Should Develop a Security Budget
If you are not convinced that building a budget should be a core competency of an effective security program leader, let’s review some of the benefits to the CISO as well as to the organization at large. This should help answer the “why” behind putting in the effort to develop a budget.
Benefits for the CISO
If you are a security program executive, the ability to develop a budget is going to be a game-changer for your career, and any security program you lead on a go-forward basis. Here is a quick rundown of a few of the benefits you can expect:
- Risk Based Security Investment: Developing a security program budget will force the CISO to closely examine security program gaps and develop plans to close those gaps. This exercise will naturally help the executive focus on the areas that matter most and build a better security program.
- Business Alignment: In a quest to obtain resources, the security executive will naturally need to consider (and articulate) the business case for security program resources relative to the other important priorities for the organization. As a result, the security program will naturally fall in line with the organization’s overall business needs. A business-oriented CISO is respected by their peers.
- Executive Buy-In: Developing a budget is a great opportunity for peer executives to gain visibility and buy-in to the needs of the security program. Having advocates that understand why security is vital to the organization’s health is critical to any security program.
Benefits for the Organization
Information security is an essential part of the organization’s success. The CISO’s job is to help the organization understand this fact and appropriately prioritize information security amongst competing priorities. Here are a few of the reasons formalizing a budget will help the organization succeed:
- Financial Predictability: Accurate budgeting helps set expectations, provides the organization financial predictability and helps to avoid surprises.
- Security is Appropriately Prioritized and Right-Sized: With limited funds and intense competition for resources, a security budget will help executives decide where to allocate those resources compared to other important internal initiatives.
- Lower Risk, More Sustainable Business: The CISO’s ability to influence the organization to invest in security helps create a sustainable organization. Building a budget and getting it approved is a key element of security program maturity.
- Strategic Planning – The CISO is likely working from a 3-5 year strategic maturity roadmap likely approved by the executive leadership team. The budget should support the execution of that strategic plan.
The bottom line is that building a security program budget is the right thing for the CISO personnel as well as the organization at large. Build a budget and everyone wins. Otherwise, security will be marginalized and deprioritized.
Good Questions to Ask in Advance of Preparing a Budget
Now that you are ready to build a security program budget, there are a few homework assignments. As a starting point, review and understand the standard practices of your organization’s budgetary process. If you are serious about getting your budget approved, this will give you a head start.
Here are a few good questions to ask before you start:
- Review the Procurement Process: What is the process to request new budgetary items? Consider factors like legal review and diligence steps, standard contractual formats, and who will need to be the final signatory for new expenditures. Understanding this system of organizational decision-makers will help the CISO work with the appropriate parties to get things done.
- Understand How Capital Projects are Approved: Some large projects (capital projects) that exceed a certain dollar amount or involve infrastructure you will reuse for several years require one-time approval and follow a more formal process. This often requires a detailed business case and approval from many stakeholders. As a rule, avoid putting any large new projects on a budget if they have not been vetted through the appropriate channels in advance.
- Understand Budget Format Expectations: Does the finance department prefer budgets to be in a standard format? If so, get a copy.
- Align with Internal Budget Practices: Does your organization practice zero-based budgeting (all expenses must be justified each period), does the finance department routinely ask to cut cost year over year, or are you allocated a certain percentage increase each year? You will need to adjust your budgetary approach based on these factors.
- Identify and Collaborate with Decision-Makers: Will you be expected to collaborate with peers to develop a budget? Is the security budget pooled with IT or engineering or is your security budget a stand-alone? Who is responsible for budget approvals? Will it be a budget committee or left to the discretion of the CFO?
- Identify Budget Due Dates: Most organizations have a standard budgeting process. The process is often annual or quarterly. Find out what the budget cadences are in your organization. Never miss a due date.
- Review Existing Budgets: If you are a new CISO (or new to developing a budget), find out if there is an existing budget. Even if there is not a formally documented budget, there may be a security accounting code your finance department is using to allocate expenditure toward security-related line items. If there is a budget, review it before you develop your own. Studies show most organizations are investing between 4% and 10% of their I.T. spend on security. This figure is rising year-over-year and typically does not include compliance investments.
Understanding the above points will provide the best opportunity to acquire the resources you need to support the organization’s security objectives. Get these steps right and hone your budget strategy accordingly. Remember, the success of the security program hinges on the CISOs ability to obtain the appropriate resources.
Now that you understand your firm’s budgetary processes, let’s review the tactics of building a security program budget.
Budget Template and Tips for Preparing the Budget
In this section, I am going to be walking through a few important considerations in designing a security program budget. If you want a shortcut, you can download this budget template spreadsheet to get started.
Budget Categories Make Organizing Budgets Easy
The first step in developing a security program budget is to develop a logical organization of budgetary items. For me, this is the only way I can think through the resources the organization will need to maintain an acceptable security posture.
There are a thousand ways this could be organized, but the way that makes the most sense to me is to break it down by audit and compliance activities, security team members (salaries), capital projects (large one time projects), and then organize the rest of the budget using a popular security framework. In this case, I used the CIS CSC Top 20 framework as the overarching categories.
(I like to use the CIS Top 20 because it is an easily understood framework with a lot of free resources that map controls to potential toolsets. For me, it is a great place to start, but I recommend you leverage whatever makes sense based on your organization’s needs. ISO 27001 and NIST 800-53 are also popular choices that I have used often.)
Organizing the budget like this helps me identify likely security program needs and sorts them into logical categories. It also helps provide a framework to explain the budget to other stakeholders in a way that is easy for the non-security executive to digest.
Estimating Budget Ranges Reduces Ambiguity
Costs for a budgetary line item may be known or estimated. For example, if a budgetary line item has a variable cost or has not yet been approved, the exact cost can only be estimated. However, you will still want to include these line items in your budget.
To handle budgetary ambiguity, I find it helpful to have a budget range (Low, Projected, High) for most line items. The budget range helps provide a planning factor even when there may be some uncertainty in the exact cost. From my experience it is better to over-estimate costs and beat budget than ask for more money later. Your finance team will appreciate this clarity.
Tip: If you land on a budget line item and have no idea where to begin in terms of cost, try calling a colleague or vendor. From my experience, a phone call or email can return a very accurate range with little effort.
Identify Shared Budgets and Collaborate for the Win
As we discussed in part 1 of this blog series, one challenge CISOs face is that there is a lack of clarity in the role. As a result, there is also a lack of clarity in what budgetary items belong under the jurisdiction of security. The most common area where ownership is unclear is the one between security, information technology, and engineering.
For example, who owns upgrading the firewalls? Who owns the budget for application penetration testing? Who owns the budget for the latest end-point device management solution? Who owns the budget for log aggregation and analysis? Who owns compliance and certification spend? It is easy to understand why assigning an owner to many initiatives is difficult.
However, this ambiguity in ownership is an opportunity, not a challenge. Rallying multiple leaders around a mutual objective creates a significant advantage when it comes to getting a budget approved. If several leaders mutually agree something is important, it probably is!
If you can identify co-owners or potential collaborators in your quest to acquire resources, your team can coordinate together to build a business case for budget approval. From my experience, if you can get another leader on board with resource allocation requests, chances of approval improve dramatically.
Advice on Seeking Budget Approval
Be Patient and Have Empathy
Be patient and have empathy with your non-technical stakeholders.
Developing a security program budget requires pragmatism, a lot of research, and a willingness to explain (and reexplain) why security is important to the business.
Security is an expensive endeavor and for non-technical stakeholders, it may be difficult to intuitively understand the return on investment of security expenditures. As the security leader, it is our job to present a clear business case and be willing to explain it as many times as necessary to get everyone on board with the mission at hand.
Master the Art of Building a Business Case
If you have large projects or budgetary line items that require closer examination and leadership approval as part of your budget, it will likely require additional steps to obtain approval. In this case, the most powerful tool in the business leader’s budgetary arsenal is the ability to build a business case for projects and resources.
A business case will lay out the opportunities and costs associated with your security initiative and help validate (to yourself and other stakeholders) the return on investment for your proposal. When developed effectively, a business case will help the security executive self-eliminate projects that do not add value to the organization (and thus should not be brought before leadership) and greatly increase the chances of approval for those that do.
If you are wondering how to build a great business case, do not worry! That is where we are headed next. Stay tuned for “Part 4: Building a Business Case for Security Initiatives”, the next part in our series that will be published soon.
Let’s Get Started
If you have questions or if your organization needs help developing a strategy for security program maturity, reach out to our team and we can help.