Stand Ready: Crafting Your Security Budget for 2020
Chances are you are considering an increase in your IT and security budget for 2020- and you are in good company.
80% of respondents in the 451 Research Digital Pulse survey note a planned security budget increase, with the average increase across the survey population of 17%. With increased threats, increased threat actors, compliance concerns, the speed of globalization, and the datacentric nature of most businesses making them a target, businesses must stand ready and will utilize budgetary and personnel resources to do so. Knowing what total percentage other organizations spend is not useful- it is about how ready those dollars actually prepared the organization to be. But where to spend and how?
Coordinate across business units and with multiple managers
Smart spending is not reactionary, nor does it throw resources around indiscriminately. One of the biggest pitfalls to avoid is to throw money blindly into security and expect increased results. As far as where the budget spend occurs: is the security spend still under the IT department and not allocated as operational (or sometimes capital in the case of hardware) expense?
CFO’s should know what benefits they are receiving for the money currently being spent. Wise CFO’s will seek the advice of their IT managers and coordinate with each business unit director to identify any plural efforts to avoid wasted dollars in the form of redundant software licenses as well as assess what new risks may need to be considered since the beginning of the year. Besides money, redundant software wastes another important resource- time; the IT department spends time keeping software updated and secure. Consider eliminating products that you aren’t getting value in- perhaps they were implemented in the insistence of an auditor or employee who is no longer around or where you may have a similar product with the same functionality.
Much of the security risk to business originates within the organization because of mistakes, poor security protocol or a lack of enforcement of protocol. Are there new lines of work that include new protocols or new software usage to consider? What are the company policies regarding staff using their own devices for business purposes? Who is in charge of credential management and password policies? Sometimes an investment in a password locker like 1Password saves employee resources while allowing critical business data to remain safe and accessible.
Check the Value:
Does your organization have the level of readiness it needs using the controls you currently have? Are there upgrades that have been delayed in the current year that need to be addressed immediately? Before adding new solutions to any existing security systems, take time to reassess any legacy systems to ensure they will complement newer controls.
Executives must carefully evaluate their risk exposure specific to their industry, assessing and managing a set of risks. It should be determined which threats are most probable, which threats are trending and have succeeded in the industry, and which have the most destructive potential. How will these affect your insurance premium?
Personnel- the who and how of implementation
When evaluating the security budget, staffing is usually the highest expense and often the first order of business. Hiring cybersecurity experts when the effective rate of employment is in the negative numbers is a challenge, to say the least. A large amount of time to find candidates should be factored in to fill the open positions, with further resources earmarked toward employee retention. Outsourcing or a combination of insourcing and outsourcing should be considered. An outsourced or combination solution to staffing allows for the budget to be stretched to include software suites and access to a full contingent of staff.
A holistic risk and resource assessment of your business will gain a great deal of data to analyze that will allow intelligent recommendations, smart allocation of dollars, and a stronger security posture.