Building an effective and resilient organization on a budget isn't a small task. When it comes to cybersecurity budgets, there are many different aspects that need to be considered. Thankfully, alignment with industry best practice and recognized security frameworks adds a small amount of clarity to this challenge. When presenting the webcast “It’s all about the price tag, baby!” during BrightTalk’s Economics of Cyber Security 2018 summit, I discussed the breakdown of an incident by touching on things such as conducting public relations, hiring a call centre, retaining legal counsel, bringing in third-parties to assist with investigations, and more. Quite a few of these costs are not expected or planned for by the organization. Due to a lack of business resilience, an incident can affect not only the financial side of the business but also the reputation. The court of public opinion, for example, can be an organization’s worst nightmare, especially following an incident if the public feels the affected company is lacking transparency or is ineffectively planning and protecting their personal information. My point being, organizations can actually minimize, plan for and even take care of a lot of these unexpected costs by implementing preventative measures. That includes building a responsible cybersecurity budget using the following considerations:
- Ask your operations team what they feel is missing day-to-day?
- Does the operations team feel they need additional training, more tooling, further access, and/or more resources?
- When was the last time your organization did a risk assessment?
- When was the last time you held a table-top exercise with your incident response team, and has the non-technical incident responders ever participated in one?
- When was the last disaster recovery simulation run?
- Has the organization ever organized a cybersecurity maturity assessment?
If you are unable to answer the above questions, this is a worrying sign. Open and honest communication across the operations team is vital for your organization in order to recognize its needs. If operations are overworked, how are they going to be able to respond to events outside of the day-to-day requirements? Risk assessments and cybersecurity maturity assessments are brilliant ways to recognize the gaps within cybersecurity programs. The former assists in prioritizing controls, training, defensive remediation, and areas in need of offensive testing. The latter reveals the granular details of where actions need to be taken as well as identifies places where the organization already excels in and might not need as much focus.
Budgets Require Evidence
When I speak to organizations regarding cybersecurity programs, I look at their technical controls, provided technical skills training, in-house understanding of roles and responsibilities of security, awareness campaigns, and perception from outside the operations team. I do this because I want to know how the operations team is supported from across the organization, not just within their team. Oftentimes, I see a gap in external team's understanding of the cybersecurity operations team duties; this is usually due to a lack of communication but also a lack of awareness of the cybersecurity needs. When asking for budget, consider the following:
- How many times does your senior leadership receive a report on the successes of the operations team, and does this report have metrics in place to measure improvement?
- How is the awareness of the organization measured and affected?
- Is there a detailed guide that breaks down where the spending has gone in the past, changes that have been made for the new year, and other expectations and assumptions?
- Is there a summarized guide on the overall budget plan? Note: Senior leadership might not have the time available to read through your detailed guide, but they may still wish to know that you put the time in to investigate. Therefore, a summary of these details will help them make educated decisions.
- Is the culture or perception of the organization negative towards cybersecurity operations? Note: This can definitely cause issues when asking for budget. As such, consider making a point of highlighting where these changes enhance other department's functions.
- Does the organization need to align with any regulations? Can you take existing statistics, research, and/or trends from credible sources to quote within your findings?
When preparing to present your findings to senior leadership, consider your relationship. Trust, understanding, and respect go a long way. With that in mind, it may be worth taking the time to build this relationship further and understanding through consistent reporting, education, and training. If you truly are struggling with ‘selling’ your cybersecurity needs, then re-consider how you’re presenting these objects. Is senior leadership aware of the true needs of the organization’s security posture? If not, it is your job to educate them. You can do this by checking out the United Kingdom’s National Cyber Security Centre’s Board Toolkit, which provides training and guidance to enhance a Board’s knowledge in order to help its members make educated decisions on needs. Review the existing organizational risk register and make sure it includes reliable information on cybersecurity. Make sure your budget reflects their focuses. Work with them as a team effort to demystify and clarify the cybersecurity requirements that they don’t understand. As a result of implementing a strong cybersecurity budget request, senior leadership can acknowledge the experience and needs of the security operations management, and they can make educated decisions based on the presented facts and historic information. The cybersecurity budget request should contain awareness of the overall organization plans, expectations, and risks. This final piece should include planning for future growth of the organization including the separate departments. Exactly how much should an organization spend on cybersecurity? From my experience, there isn’t a ‘right’ answer. It’s based on the holistic approach of the organization, their current state, and the inherent risk that exists.
- Others have classified an average of 5.6% of the overall IT Budget, according to the Gartner’s December 2016 report, with the range being listed between 1% to 13%.
- More recently, Deloitte and FS-ISAC reviewed financial institutions’ spending in the fall of 2018 and found that they paid approximately $2,300 per full-time employee. The percentage of spending ranged between 6% and 14%, which averaged to 10% – or 0.2% to 0.9% of an organization’s revenue.
Cost considerations for short- and long-term investments within a budget. When speaking at OWASP London in 2018, I presented on maintaining an effective security program. Within this discussion, I talked about having the right people in place, speaking the same language across the organization, and pursuing continuous improvement. Not all budgets will have the same expectations. Some will require an expected level of spending, while others will require larger investments of the organization. Short-term investments may involve up-skilling existing operations team members, while long-term funding could involve the implementation of new security controls, possibly whilst phasing out an old solution. Initially, new technologies often have a large upfront purchase fee. This can include professional service hours, implementation fees, and training for your operations team member(s). However, over time, the cost is often reduced. Skilled teams who are treated well and are retained can continue to tailor and enhance solutions to your organization’s needs, including removing solutions that are no longer needed. I always recommend training for the in-house operations team members, even if maintenance is held in a third-party. If no one in-house knows how the solution works, how can awareness be effectively taught, how can the third-party be effectively managed, and how can incident response teams respond? If documentation is out of date, this is a security issue. Having in-house persons maintain this can build understanding and foster collaboration between in-house and third-party operations. Realistically, however, can we rely on aligning our % of budget spending to measure effective investment? Based on the organizations I have supported, I don’t believe a number alone is going to make the difference. When building a security program, I look at this inherent risk an organization expects. Within the Deloitte and FS-ISAC survey findings on financial organizations, the piece that stands out to me is figure 4: three characteristics that set adaptive companies apart. These are as follows:
- Secure leadership and board involvement.
- Raising cyber security’s profile within the organization beyond IT.
- Aligning more closely with business strategy.
Simply put, make sure your cybersecurity program has top-down support and understanding and that it was designed in a way that closely resembles the organization’s focus and needs. Lastly, and most importantly, every single person within the organization needs to know their role when it comes to the cyber defense team. If you check off these three boxes as part of a cybersecurity maturity assessment, I believe your cybersecurity budget is being spent and used effectively. If an incident happens but your organization is prepared and knows how to respond, it isn’t the budget that’s saving you. It’s the maturity of your cybersecurity program.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.