Yes, and here are the reasons
I recommend establishing a Cybersecurity budget first because it is essential to map out the biggest bang for the least buck. This process and the knowledge gained reveals the following: by gathering relevant information and data, reviewing costs and expenditures, engaging with staff and leadership, and gaining an understanding of what is essential for the company can provide the necessary foundation for critical cybersecurity planning, strategizing, initiative development and assessing requests.
This concept of “following the money” reveals that which is critical and potentially at-risk for the company. Understanding is crucial to determining actual Cybersecurity and Business Risks. Countless times, I experienced newly hired, well-intentioned employees “starting to fix things” without understanding the business, inadvertently leading to frustrations of misunderstandings and conflicts across teams and among leaders.
Ok, so where do we start when considering a budget?
- Get a copy of your company budget and use this template.
- Create your preliminary budget by identifying and tagging Cybersecurity existing applications, hardware, and services. Included yet not limited to are such things as training, firewalls, vendors, audits, and virus scanners.
- Once these components are identified along with associated competitive costs, meet with your CFO, Accounting & Finance teams. Outline your findings and financial commitments, then really listen to their viewpoints about potential risks.
- Review and account for current business contracts, staffing, purchases, services, and review the most recent two years, at least, of budgets for cybersecurity-related expenditures.
- All this data and information can be segmented and itemized as the initial Cybersecurity budget.
- As a final step, it is vital to review and get feedback on the Cybersecurity budget from the CFO and teams for accuracy and understanding.
Note: If possible, audit employee expense reports. It is surprising how often I found essential business enterprise services, applications, and contracts expensed on a personal account and or listed as an employee expense. More than once, I encountered an “In use” critical business AWS root/administrator account owned and expensed to a personal credit card.
Once the preliminary Cybersecurity budget is created, what use is it? And why is it the Biggest Bang for the least Buck? It’s all about Risk.
To be BLUNT, Cybersecurity incidents, tasks, processes, activities, and crises are meaningless Unless they are presented in an understandable and relatable form to your management team. Your executives may not understand Cybersecurity, but they are very familiar with Risk. Everyone understands Risk! Right?
Right, but not by the same definition or meaning. I found the following three definitions of Risk to be standard:
- Risk is the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and or inaction.
- Business Risk is anything threatening an organization’s ability to generate profits at its target levels; in the long term, risks threaten an organization’s sustainability.
- Cyber Risk commonly refers to any risk of financial loss, disruption, or damage to the reputation of an organization resulting from the failure of its information technology systems.
The subtle different viewpoints in these definitions can lead to disastrous misunderstandings. Your executive team will take any mention of risk as a business risk rather than a cybersecurity risk. Any business-related activities must conform to the Business Risk definition to be successful, especially Cybersecurity.
Cybersecurity is a business-related activity
As a business-related activity, every Cybersecurity line item and request must provide your executive team answers to the following questions:
- What is the Risk?
- What is the likelihood of the Risk?
- What is the cost of the damage or loss by not addressing this Risk?
- How much will it cost to reduce this Risk?
Additionally, the Cybersecurity team must be able to present associated responses as they apply to the business:
- Is this Risk the highest priority Risk?
- Is this the most effective solution to Reduce the Risk?
You might be thinking, ‘Interesting, but what’s that got to do with the Cybersecurity budget?’
A budget shows where the company has critical components that might impact the sustainability of the business and must be addressed and maintained. A Business spends money to make money and will invest money to keep priority components running. As you investigate, gather, analyze, review and develop the Cybersecurity budget: ask everyone about essential components to the business, the likelihood of a Risk to those components, why they were prioritized in their current manner, and understand the impact of those Risks to the business.
The resulting analysis will uncover a list of 10 – 20 critical Business Risks the company faces, and a review of the company budget will show the itemization of remediating those Risks. The Cybersecurity budget is a subset of the company budget and every line item in the Cybersecurity budget must answer the six questions above, and address or provide corresponding remediation to the company’s Business Risks.
The information security program’s success and any Cybersecurity initiatives are dependent on the intersection and applicability of Business Risk and Cybersecurity Risk. As the Cybersecurity budget is developed, identify the Business Risk of each line item with your CFO and Accounting team.
The responds to the questions articulate the Business Risk of the cybersecurity requests as a business-related activity and aligned with the company’s goals and sustainability.
An immediate goal is to identify and raise awareness with your executive team of any Cybersecurity Business Risks or related Risks without a line item in the current budget. Basically, a Risk that is not being addressed or remediated. For example, suppose a Disaster Recovery plan is a priority Risk, and no line item in the company budget exists. In this case, a priority Business Risk has a high likelihood of occurring and impacting the sustainability of the company.
Cybersecurity line items not associated or linked to a Business Risk are destined to be ignored or raise issues with your management team. The management team with see it as, why spend money on something that is not going to impact the business.
Ideally, all Cybersecurity line items address a corresponding Business Risk. Without this association, the Cybersecurity team will continuously have to address concerns of How and Where these line items contribute to the business, and generate a sense of frustration within the organization. Additionally, a great benefit is that this process, budgeting, and reviews facilitates the development of a Status report to your management team to be discussed at a later date.
To wrap up, the process of meeting with stakeholders, getting knowledgeable about the company’s Business Risks, and understanding the overall business’s criticality is vital for successful implementation, development, and sustainment of existing and new cybersecurity initiatives. Without understanding what and how these risks relate to the company’s Business Risk, a Cybersecurity team will undermine the success of fundamental requests of services, applications, and asset allocations.
The Cybersecurity Budget is not about building a Cybersecurity Program, it is about how the Cybersecurity budget will support the company’s ability to generate profit and be sustainable.
Future Blog Topics: Developing a Risk Assessment, Presentations to the Board, Justification of Cybersecurity Purchases, Analysis of Effective Solutions, and other points.