Where does the information security budget reside and who owns it? That's an ongoing debate as organizations allocate resources to protect critical assets in a dynamically changing technology and threat environment.
In many organizations, chief information security officers report to the chief information officer, because security operations and budgets are part of the IT department. According to the Ponemon Institute’s 2015 Global Study on IT Security Spending & Investments, only 19 percent of the surveyed respondents say the IT security leader has control over how resources are allocated. Instead, the budget is in the hands of the CIO or Chief Technology Officer and business leaders.
This suggests the importance of security leaders learning how to influence these senior executives if they are going to change how budgets are allocated, according to the report. Ponemon surveyed 1,825 IT management and IT security practitioners in four global regions for the report.
There are a lot of similarities between the security and IT worlds, as both are part of a rapidly changing landscape witnessing the rise of technologies and services like cloud computing, mobility, software-as-a-service, and virtualization, says David Frymier, CISO of Unisys. “The security budgeting is similar to what is going on in the IT world,” he says.
But he also notes that there are conflicts of interest between the two functions, and some security practitioners and experts are making a case for the separation of the disciplines. In some cases, CISOs are reporting to chief risk officers or chief compliance officers.
At Unisys, security is part of IT, and the actual budget number is held at a very high executive level. The CIO has a budget number that is part of the corporate financial plan. The details of that budget aren’t farmed out to managers that report to the CIO in any sort of hard and fast manner, Frymier notes. Instead, the managers have a plan and an outlook, and progress against the plan is measured on a monthly basis.
“Things change on a very fluid basis all year long,” he says. Even though something has been in the financial plan at the beginning of the year, when it comes time to actually spend the money on it, a business case needs to be made again within the existing context. There might be other priorities or the issue is not as acute as it might have been at the beginning of the budget process, he says.
For those security managers looking for ways to help their organizations plan an effective security budget, Frymier and Greg Boison, director of homeland and cybersecurity at Lockheed Martin, shared some advice:
1. Assess and Inventory Current Resources: “Security budgets start with baselining what you have,” says Boison. Security managers have to properly conduct an inventory of all the tools, staff, and resources they currently have. Then they should apply metrics to determine the amount of events launched against the enterprise that were risks versus the thousands of alerts and sensor events logged. This will aid in helping managers know what resources they have and how successful they were in mitigating attacks as well as the gaps. They can say 'here are the gaps in the mitigation of threats in the enterprise and here are the things I need to make it safer,' Boison says.
2. Get Creative in Procuring New Technology, Resources: The security budget is a complete bill of materials of what you need to perform the security program, which includes equipment, software, people, training, maintenance, and perhaps, cloud computing approaches such as software-as-a-service and infrastructure as-a-service, says Frymier. “All that material fits into a taxonomy,” where it is either a capital expense – hard goods such as servers, software licenses and workstations – or an operating expense, such as people and their salaries, he says. Cloud computing and a services-orientation are helping to move organizations toward operating expenses. Most accountants say this is a good thing.
Organizations are looking at creative ways of implementing new distributive technology via capitalized projects. For instance, the FireEye offers unique, advanced malware detection and remediation. Some accountants would say FireEye is a new business function and declare it a capital project, Frymier says. So all expenses associated with it (labor, equipment, software licenses and training, and implementation costs) could be spread out over three, five, seven years -- just like managers would do if they were buying equipment for a new factory. If security managers had decided to change their antivirus vendor from Symantec to McAfee, it is unlikely that can be called a capital project, because the company already had an antivirus function.
This type of accounting and budget detail can get arcane and technical people aren’t interested in it because it is difficult to understand. “When I was first exposed to this concept it made no sense to me and I was unconcerned how things were accounted for,” Frymier says. “But as you move up through the management ranks, these things become more important.”
3. Beware: Don’t Be Too Technology-Focused: Managers should not view the security budget as principally being about tools; people and talent play a big role in an effective security program, says Boison. Many CISOs focus on the latest tools and wind up bringing in another blinking box, he says. “More mature organizations are focused on leveraging and utilizing what they have.” Managers here push systems and tools to their total functionality and only then add another tool. Tools bring complexity, which can lead to inefficiency in how the tool is implemented and run.
Frymier agrees. “The best way to blow your budget is to allow yourself to be sold a shiny bubble and not understand what goes along with the technology.” Often this can happen if managers aren’t identifying their requirements and going through a structured procurement process. Usually, this happens with executives who are not in security or IT, who purchase a tool thinking it is going to solve all of their security problems, he notes.
4. Measure The Effectiveness Of Your Security Program: Security managers need some sort of measure of effectiveness to assess the totality and completeness of their organizations’ security program. There are a variety of frameworks to help managers achieve this goal, says Frymier. One in particular is the Cybersecurity Framework released by the National Institute of Standards and Technology in 2014. The Framework has 98 security control objectives that security managers can use to rate their security program. “Using the four criteria [the Framework outlines] for each of those 98 security objectives, you can demonstrate to people where you may have strengths and weaknesses,” he says. “Then you can make business decisions about the value of strengthening areas where you are weak and make decisions about whether you are going to spend money on those areas or not. “