Managing an IT security budget effectively is getting more and more complex every year. The pressure for showing return on every IT spend is as strong as ever, and cybersecurity budgets are not immune to those pressures. Understanding how to include a return calculation in that cyber security budget pitch can make or break the approval.
The challenge begins when you request badly needed increases in cyber security only to be told, “There were no incidents last year, so why am I spending this money in the first place?” Cyber security spends often do more to protect than increase revenue. You are effectively buying silence, which means it can be hard to identify the real return on that spend.
Creating a comprehensive security budget pitch
As a CEO, if I’m going to spend more money next year, I better know why. So whether you are struggling with your pitch, you’re ready to present or still putting together your budget, here are my top two tenets of evaluating a security spend:
- Describing the investment: I prefer to see a request in terms of a larger security framework. To that end, I like to know whether a specific request addresses people, process and/or technology. Process is good change management tools with authorization enforcement; code reviews are examples of investments that can increase security. Technology is the easiest to see because it’s generally a specific security appliance or service that protects against a specific threat vector. When talking about spending on technology for a specific threat vector, I like to see the people and process components of that as well. The technology my CIO wants to purchase should be in line with what I can afford and comprehensively addresses what my organization needs. People should have security expertise and a culture of security consciousness. Sometimes the only way to get both is to outsource it to a company who has specializes in security services.
Preferably, the budget should touch more than one of these aspects at a time, and the spending should be equally distributed among each of them.
- Describing the return: When describing the return of a cyber security investment, I like to start with the value of the data it is protecting. Since cyber security is a risk mitigation exercise, I like to ask, what assets exactly is this protecting? This begs the question, what is the value of my data?
Boards are waking up to the value of their data and the cost to their brand when breached. It’s important to frame cyber security threats in that context for them.
When it comes to describing the return, is it sustainable? Will this protect me in the future or only until the next new threat comes out? For example, some process changes will help regardless of specific security threats or hacks, while certain technology only focuses on a specific aspect of security. Log Review, where logs are regularly reviewed by heuristic algorithms and people to identify issues quickly, is a good example.
This should give you an idea of how to structure a successful proposal. Remember, these are just some of the things I look for—there are many other components to putting together a successful security budget.