Careers & People
4/27/2016
02:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

4 Tips For Planning An Effective Security Budget

Security budgets start with managers assessing all of their resources and measuring the effectiveness of their security programs for strengths and weaknesses

Where does the information security budget reside and who owns it? That's an ongoing debate as organizations allocate resources to protect critical assets in a dynamically changing technology and threat environment.

In many organizations, chief information security officers report to the chief information officer, because security operations and budgets are part of the IT department. According to the Ponemon Institute’s 2015 Global Study on IT Security Spending & Investments, only 19 percent of the surveyed respondents say the IT security leader has control over how resources are allocated. Instead, the budget is in the hands of the CIO or Chief Technology Officer and business leaders.

This suggests the importance of security leaders learning how to influence these senior executives if they are going to change how budgets are allocated, according to the report. Ponemon surveyed 1,825 IT management and IT security practitioners in four global regions for the report.

There are a lot of similarities between the security and IT worlds, as both are part of a rapidly changing landscape witnessing the rise of technologies and services like cloud computing, mobility, software-as-a-service, and virtualization, says David Frymier, CISO of Unisys. “The security budgeting is similar to what is going on in the IT world,” he says. 

But he also notes that there are conflicts of interest between the two functions, and some security practitioners and experts are making a case for the separation of the disciplines. In some cases, CISOs are reporting to chief risk officers or chief compliance officers.

At Unisys, security is part of IT, and the actual budget number is held at a very high executive level. The CIO has a budget number that is part of the corporate financial plan. The details of that budget aren’t farmed out to managers that report to the CIO in any sort of hard and fast manner, Frymier notes. Instead, the managers have a plan and an outlook, and progress against the plan is measured on a monthly basis.

“Things change on a very fluid basis all year long,” he says. Even though something has been in the financial plan at the beginning of the year, when it comes time to actually spend the money on it, a business case needs to be made again within the existing context. There might be other priorities or the issue is not as acute as it might have been at the beginning of the budget process, he says.   

For those security managers looking for ways to help their organizations plan an effective security budget, Frymier and Greg Boison, director of homeland and cybersecurity at Lockheed Martin, shared some advice: 

 

1.      Assess and Inventory Current Resources: “Security budgets start with baselining what you have,” says Boison. Security managers have to properly conduct an inventory of all the tools, staff, and resources they currently have. Then they should apply metrics to determine the amount of events launched against the enterprise that were risks versus the thousands of alerts and sensor events logged. This will aid in helping managers know what resources they have and how successful they were in mitigating attacks as well as the gaps. They can say 'here are the gaps in the mitigation of threats in the enterprise and here are the things I need to make it safer,' Boison says.

 

2.      Get Creative in Procuring New Technology, Resources: The security budget is a complete bill of materials of what you need to perform the security program, which includes equipment, software, people, training, maintenance, and perhaps, cloud computing approaches such as software-as-a-service and infrastructure as-a-service, says Frymier. “All that material fits into a taxonomy,” where it is either a capital expense – hard goods such as servers, software licenses and workstations – or an operating expense, such as people and their salaries, he says.  Cloud computing and a services-orientation are helping to move organizations toward operating expenses. Most accountants say this is a good thing.

Organizations are looking at creative ways of implementing new distributive technology via capitalized projects. For instance, the FireEye offers unique, advanced malware detection and remediation. Some accountants would say FireEye is a new business function and declare it a capital project, Frymier says. So all expenses associated with it (labor, equipment, software licenses and training, and implementation costs) could be spread out over three, five, seven years -- just like managers would do if they were buying equipment for a new factory. If security managers had decided to change their antivirus vendor from Symantec to McAfee, it is unlikely that can be called a capital project, because the company already had an antivirus function.

This type of accounting and budget detail can get arcane and technical people aren’t interested in it because it is difficult to understand.  “When I was first exposed to this concept it made no sense to me and I was unconcerned how things were accounted for,” Frymier says. “But as you move up through the management ranks, these things become more important.”

 

3.      Beware: Don’t Be Too Technology-Focused: Managers should not view the security budget as principally being about tools; people and talent play a big role in an effective security program, says Boison. Many CISOs focus on the latest tools and wind up bringing in another blinking box, he says. “More mature organizations are focused on leveraging and utilizing what they have.”  Managers here push systems and tools to their total functionality and only then add another tool. Tools bring complexity, which can lead to inefficiency in how the tool is implemented and run.

Frymier agrees. “The best way to blow your budget is to allow yourself to be sold a shiny bubble and not understand what goes along with the technology.” Often this can happen if managers aren’t identifying their requirements and going through a structured procurement process. Usually, this happens with executives who are not in security or IT, who purchase a tool thinking it is going to solve all of their security problems, he notes.

 

4.      Measure The Effectiveness Of Your Security Program: Security managers need some sort of measure of effectiveness to assess the totality and completeness of their organizations’ security program.  There are a variety of frameworks to help managers achieve this goal, says Frymier.  One in particular is the Cybersecurity Framework released by the National Institute of Standards and Technology in 2014.  The Framework has 98 security control objectives that security managers can use to rate their security program. “Using the four criteria [the Framework outlines] for each of those 98 security objectives, you can demonstrate to people where you may have strengths and weaknesses,” he says. “Then you can make business decisions about the value of strengthening areas where you are weak and make decisions about whether you are going to spend money on those areas or not. “

 

Related Stories:

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bruno.moreau86
50%
50%
bruno.moreau86,
User Rank: Apprentice
4/30/2016 | 3:32:24 PM
4 Tips For Planning An Effective Security Budget
Thanks for sharing, really I learn so much with you guys thanks again
Sagiss, LLC
50%
50%
Sagiss, LLC,
User Rank: Strategist
4/28/2016 | 12:01:14 PM
Protecting Valuable Data
In addition to assessing what current security resources are in place and how effective they are, leaders should also determine what their most valuable information assests are so that they can focus on improving detection and response capabilities in those areas, rather than attempting to achieve 100% security, a lofty and impossible goal.  
RajeshK940
50%
50%
RajeshK940,
User Rank: Apprentice
4/27/2016 | 5:19:02 PM
Bug Bounty Programs
I'd suggest Bug Bounty Programs as a fast and cost-effective way to get more eyes on your applications.  A company can try them for free.  77% of companies get results in 24 hours.  

(Full Disclosure, I work for one of the companies in th1s space but I loved bounty programs before that too :).

.rajesh
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.