cyber risk budgeting

It’s Q3: Time to build your cyber budget for 2019!

Fast forward to 2019. Actually, scratch that, 2019 is already here. ESPECIALLY if you are budgeting. In that case, you are already under the 2019 gun.

If you are involved in cyber budgeting, one of the challenges you will face is deciding how to prioritize the cybersecurity budget and communicate those priorities to the C-suite. In this blog, we discuss a new way of thinking about HOW to build the cyber budget.

Cyber crime damage costs are projected to hit 6 trillion in 2021 and cyber spending in 2018 is projected to be almost $90 billion. Collectively, we ask ourselves “Why is this so hard?” Currently, spending on cyber is very technology-focused. In fact, 65% of cybersecurity professionals surveyed said they see their Technology spend will increase in the next 2 years. While technology is critical, what is equally critical is that cyber leaders start thinking about security more as a business enabler.

Many cybersecurity leaders I talk to describe their budget process like this: They make lists of: 1) products they might think are cool (they may have encountered these products at trade shows, word-of-mouth, referrals, etc.),  2) products they know their organization NEEDS for basic hygiene, and then 3) products they will actually show to their boss and get budget approval for (products the company can actually afford). They end up with some solid lists, but there is little to know strategic tie to the business propping those lists up.

My advice (which is definitely worth the price of this BLOG) – start by asking yourself these two questions: “Are you SMART about spending money?” and “Are you getting THE VALUE you need?”

So how do we define value? These four questions can guide you in that process:

1)What is the business trying to accomplish?

2)What risk does that strategy create?

3)Where does cybersecurity fit in?

4)How do I measure success?

Why don’t people ask themselves these questions more often? What are some barriers that prevent us from thinking this way? In my opinion, the main barriers are: groupthink, technology driven decision making, lack of empirical data to support decisions and no linkage to key business drivers. Where do you start in overcoming these barriers? I like to follow this 3-step process:

Step 1: Start from the top down.

The bottom-up approach is the historically common approach (Threat > IT System > Business Process > Enterprise Strategy). We recommend going top-down instead (Enterprise Strategy > Business Process > IT System > Threat) because this forces you to think about the business’s priorities and how they relate to threats, not analyze each threat individually first. While you are at it, make some decisions about what amount of risk you are willing to accept. As your risk acceptance goes up, you budget goes down (and vice versa).

Step 2: Extend conversations to the right people.

The typical characters included in cyber budget talks include IT, the C-suite and Legal / Risk teams. By extending those conversations to other teams as well such as Finance, HR, Accounting, Sales and many others, leaders get a more holistic view of the issues. There are many issues that can be prevented by doing this. For example, I recall a CISO of a large organization who once told me that he spoke to his company’s risk officer for the first time in his two years of being at the company and only then did he realize that the Risk Officer was ensuring the company and paying for preventing completely different risks than he was budgeting for. This is why it is so important to get all teams aligned on you company’s cybersecurity budget.

Step 3: Map it out.

“If you don’t know where you’re going, any road will take you there.” – Alice in Wonderland. I’ve seen all of us do things that are really important in budgeting and prioritization but they are not aligned to strategic initiatives in the business.

Below is a summary view of how you can map out your process:

My goal is for this blog to help you tie business initiatives to threats to the business risks to security initiatives and rationale. I have recorded a webinar on this topic as well if you would like to learn more. For a detailed copy of the Budget Plan Worksheet, please email Anna Pleshakova at apleshakova@nehemiahsecurity.com