Building a budget for your security program can be a frustrating task. The effectiveness of your security program relies heavily on your ability to plan and pitch to secure funding to fuel security initiatives for the upcoming year. However, many first time CISOs and those new to their organization struggle with creating and pitching budget proposals in a way that gets executives excited to buy in.
The truth is that the best security programs and budgets are risk-based. They directly support the efforts of the overall business strategy and make security decisions, business decisions. So, it may come as no surprise that this article will help you understand how to approach creating a risk-based security budget.
Before we get into the namesake of this article though, let’s get something straight. This article will not teach you how to create a security program or budget that meets your organization’s needs. All companies have risks and security needs that are unique to their business objectives. (Aka, there is no one-size-fits-all template.) However, this article can be used as the foundation for your risk-based approach to creating, pitching, and negotiating next year’s security budget.
Risk-based security budgets focus the attention on supporting major business goals first. You must go in focused on what is most important to the Executives’ long-term and short-term strategies. (More on that in the next section.) Because your budget will need detailed information that matches business objectives, you need to be prepared to sift through a lot of information, software, and pricing before you get what will ultimately be in your final security spending pitch. We recommend using a 3-list approach to organize the chaos.
To use this approach, first create three lists. Title the first list “Security Must-Haves”, the second list “Like to Haves”, and finally, title the last list “Security Maturity Movers”. Any security measures that are needed to keep your company’s main business objectives operational can be considered “Security Must-Haves”. Any risks that aren’t tied to a business objective are considered a secondary need. Save those for your “Like to Haves” list. The third list is for initiatives that will help move your security maturity forward, but don’t necessarily fit into the first two boxes – these are more for long-term security posture improvement. We call these your “Security Maturity Movers”. Go into the budget process with the expectation that anything on the last two lists may not make it through budget cuts. That’s ok. Executives are hyper-focused on moving the company forward and starting your security budget by aligning to the business objectives allows you to enhance their goals.
Security measures that keep your company’s main business objectives operational.
Security Like to Haves
Security measures that support business operations, but are not tied to main business objectives.
A main part of a security leader’s job is to protect the organization from current and future threats. That means you must align your security program to future business operations to be successful. So, before you start looking at anything related to security, you must first understand what the motivations are for those that hold the purse strings.
Anything your Executive team considers a primary business objective for the next year is what you must consider a primary security need when building a security program and budget proposal. Once you know what your company Executives are focused on achieving, you can use our three-list approach to risk-based security budget building.
Next, you want to take those business objectives and define any security risks associated to them. If you’re launching an app next year, ask yourself “what threats does that open us up to?”. If you’re opening a new location that may require locally sourced vendors – you’ll need to know the risks those vendors pose. Tying security risks to business objectives will help you to not only create a risk-based security program but also validates any security needs during your budget pitch to Executives.
Defining potential risks to future endeavors requires a certain level of foreshadowing. You’re up against many departments lobbying for critical dollars, so you cannot rely on speculation when tying risks to future overall business objectives. VerSprite’s GRC team recommends getting an Organizational Threat Model (OTM) to understand your current security gaps and foreshadow any risks associated with new business initiatives. Threat models help you see threats before they happen and provide an independent resource to back up your security asks in the budget pitch. Many security leaders use Organizational Threat Models as a blueprint to their security program.
The last step before you start putting your budget proposal together is to look at your current IT stack and assess your security success so far. In this stage you need to weigh the cost for services and software against their worth, because your budget proposal will need to lay out opportunities and costs associated with your security initiatives to show a return on investment. Having a set of security metrics will help you quickly determine “trends, improvements, and efficacy around prevent, detection, and response”. If you find a piece of software costs more than it is worth, eliminate it or scale back and dedicate that spending to something more aligned with the new business objectives. (Pro Tip: Executives love to hear you “scaling back” on spending to reallocate budget to align more with what they care about. You’re basically doing their job for them. Mentally send them a “You’re Welcome” email.)
If tying your security needs to business objective is the key to creating a budget that stakeholders want to buy into – this next part is the door that could open or shut in your face. As you create your budget proposal pitch, it’s critical to put technical risks into a language that stakeholders understand. That means putting a price tag on security risks.
Go back to your “Security Must-Haves” list of the primary business goals next year. As you tie security risks and needs to each of those add what it would cost for that goal to be pushed back or experience a disruption. For example, to determine potential losses, you would ask “what is the risk to the business is if a certain system goes down for a week?”. Maybe that risk has a potential revenue loss of $300,000. That price tag could make the cost associated with preventing it look like a much better investment.
Now, this approach won’t work for everything in your dream security budget. That’s why using the 3-list approach to prioritize security needs comes in handy. Executives are more likely to buy in to only the most critical aspects to the overall business strategy. After that, they’ll determine if there is any room in the budget for going above and beyond.
Budget cuts are like taxes – inevitable. Some years may be worse than others, but there’s a reason why companies like Gartner are seeing a 61% increase in cybersecurity investment right now – the absolute assault on everyone from SMBs to Enterprises is forcing Executives to make cybersecurity spending a top priority. If you use the 3-Must-Haves list approach we mentioned earlier, then you’re less likely to be held back if asked to make cutbacks to your security program budget.
Still, it doesn’t hurt to have some wiggle room. In a recent LinkedIn Live, VerSprite’s Director of Threat Intelligence and a VerSprite GRC Consultant recommended adding 10% wiggle room to your budget. This helps to ensure all your primary “Security Must-Haves” get included in the final budget and gives you additional room for your “Like to Have” items and the “Additional Security Maturity Movers”. When pitched to your Executive board as items that will push your maturity level forward but aren’t necessary for day-to-day protection – your board is more likely to see these items as more than simply budgetary fluff. They may push to approve the items in this year’s budget, or they may ask you to adjust the budget to get to that level the following year.
If your entire budget is approved, including that 10% wiggle room, be prepared to spend it in a way that not only covers compliance and securing against the business goals but also moves your security maturity level forward. This can really define your role as a leader within the company and help your case for future years’ budgets.
We know this article may make it seem like using our approach to plan your security program budget is easy – but we know it’s not. Budget season is stressful for everything (including the author of this article). You have a lot riding on getting the security spending you need because you’re the organization’s defense against threats. That’s a big burden to carry.
This approach is approved by our team of professional vCISOs whose job it is to help organizations create security programs and get budgets approved. It works for them, and it could work for you. If you aren’t 100% confident in how to create a security program that your Executives will buy into, we have tons of resources linked within the article for you to explore. If you’re an IT leader tasked with security operations or an organization without a CISO leading your security initiates – we can help you define what’s necessary to build the program and budget that you need.
Security is a burden all companies must bear. Good luck getting your budget approved and reach out to us if you have questions.
VerSprite is a global leader in risk-based cybersecurity and PASTA threat modeling. Our offensive security approach goes beyond assessing security controls to examine credible threats to understand the likelihood of real-world abuse cases and measure the magnitude of the business impact if a breach should occur.
VerSprite has proven that by developing a holistic business/IT risk view, security decisions become business decisions. They believe an integrated approach will result in better and more cost-effective security practices and better business outcomes overall. To learn more about our services, visit our service list or contact us to speak to a security advisor today.