With high-profile data breaches continuing to make headlines with disturbing regularity, the general consensus on the cyber security front is that we need to be doing more. Of course, if you’re sitting down to discuss your company’s IT security budget, you’re going to need to get more specific than that.
Determining the right cyber security budget can be a challenge, especially for companies that are looking into security seriously for the first time and unsure where to start. While one approach is to look to industry benchmarks — averages by vertical, percentage of overall IT spending, etc. — the truth is there is no universal right answer to determining your security budget.
You’ll need to determine what the top needs are for your company, specifically, as well as establish your tolerance for risk. The sooner you get key stakeholders involved in that discussion, the better, but to make sure the conversation is actually productive and leads to real buy-in, here are three common mistakes you should absolutely avoid.
1) Don’t try to make do without a dedicated budget
Budget discussions around cyber security are rarely easy, in part because it’s so notoriously difficult to measure and demonstrate ROI. Many compare it with investing in insurance — increasing your spending doesn’t inherently make you safer, it simply reduces your risk and helps you prepare for if and when things go wrong.
That means unless you’re actively dealing with a hack or a breach, security spending is likely something that’s hard to get excited about. Too often, it’s an afterthought, or money that gets assigned after everyone else has grabbed their piece of the pie.
You need to establish that security is a budgetary item that needs dedicated dollars assigned to it. It shouldn’t be money that’s coming from another place or that can be reassigned if marketing needs to do a new advertising campaign. Step one in securing buy-in is agreeing that security is important to the business, it has a purpose, and it needs funding.
After all, when it comes to security spending, the only wrong answer is zero.
2) Don’t ask for money before agreeing on needs & goals
Before you even think about asking for money you need to sit down with key stakeholders and come to a universal agreement on why security is a necessary investment for your organisation in the first place. There needs to be a clear understanding of what the priorities are, and how achieving those relates back to the primary business goals. Think of it as achieving buy-in and setting your bar.
The key to a productive “buy-in” conversation is to start out not with how the business can improve its security, but how security can improve the business. To get to that, here are three simple questions to help you drill down into what better security actually enable you to achieve and/or avoid:
- Why do we need better security?
- What are we trying to secure?
- What will happen if we don’t get this right?
Remember, your leadership team doesn’t have to understand how security works, but they do need to understand why you’re doing what you’re doing, and be on board with what you’re ultimately trying to achieve.
3) Don’t base your budget on what everyone else is doing
Be careful not to base your security planning and budgeting entirely on what others are doing. Just because a competitor has a security information and event management (SIEM) solution doesn’t mean you need to have one, and just because you spend 15 per cent of your total IT budget on security and they only spend 10 per cent doesn’t mean you’re inherently more secure.
Don’t waste your money and political capital trying to keep up with the Joneses. Spending isn’t what makes you secure.
There’s a big difference between using competitor research and industry benchmarks to inform your decisions and allowing those things to make your decisions for you.
The point isn’t to find a killer game plan to steal. You’ll still need to develop a custom blueprint that addresses your own unique needs. But by getting a sense of what constitutes good, better, and best practices for other companies you may have an easier job determining where you’re strong, where you’re weak, where it’s okay for you to be weak, and where you need to invest.
The Best Way to Handle Budget Disagreements
In an ideal world, once you’ve set your bar with your leadership team, a budget discussion should flow naturally. As long as you have a universal agreement that your goals are important to the business, then you should be able to come back to leadership with a list of things you need to execute in order to hit those goals.
There is bound to be push and pull when it comes to spending, however, and there may be times when you’re told the money you need simply isn’t there. When that happens you need to bring the conversation back to the shared priorities you established with the leadership team. You should be able to say, “Remember the things we agreed were important? These are the activities and investments we’ve identified in order to hit our bar.”
You can still disagree on specific requirements, and you may have to make concessions or get creative to cut down on costs, but as long as you have that common ground to fall back on you should be able to have an intelligent discussion around the trade-offs between coverage and risk.
Ryan Berg is Chief Scientist at Barkly.