Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:30 PM
Connect Directly

4 Tips For Planning An Effective Security Budget

Security budgets start with managers assessing all of their resources and measuring the effectiveness of their security programs for strengths and weaknesses

Where does the information security budget reside and who owns it? That's an ongoing debate as organizations allocate resources to protect critical assets in a dynamically changing technology and threat environment.

In many organizations, chief information security officers report to the chief information officer, because security operations and budgets are part of the IT department. According to the Ponemon Institute’s 2015 Global Study on IT Security Spending & Investments, only 19 percent of the surveyed respondents say the IT security leader has control over how resources are allocated. Instead, the budget is in the hands of the CIO or Chief Technology Officer and business leaders.

This suggests the importance of security leaders learning how to influence these senior executives if they are going to change how budgets are allocated, according to the report. Ponemon surveyed 1,825 IT management and IT security practitioners in four global regions for the report.

There are a lot of similarities between the security and IT worlds, as both are part of a rapidly changing landscape witnessing the rise of technologies and services like cloud computing, mobility, software-as-a-service, and virtualization, says David Frymier, CISO of Unisys. “The security budgeting is similar to what is going on in the IT world,” he says. 

But he also notes that there are conflicts of interest between the two functions, and some security practitioners and experts are making a case for the separation of the disciplines. In some cases, CISOs are reporting to chief risk officers or chief compliance officers.

At Unisys, security is part of IT, and the actual budget number is held at a very high executive level. The CIO has a budget number that is part of the corporate financial plan. The details of that budget aren’t farmed out to managers that report to the CIO in any sort of hard and fast manner, Frymier notes. Instead, the managers have a plan and an outlook, and progress against the plan is measured on a monthly basis.

“Things change on a very fluid basis all year long,” he says. Even though something has been in the financial plan at the beginning of the year, when it comes time to actually spend the money on it, a business case needs to be made again within the existing context. There might be other priorities or the issue is not as acute as it might have been at the beginning of the budget process, he says.   

For those security managers looking for ways to help their organizations plan an effective security budget, Frymier and Greg Boison, director of homeland and cybersecurity at Lockheed Martin, shared some advice: 


1.      Assess and Inventory Current Resources: “Security budgets start with baselining what you have,” says Boison. Security managers have to properly conduct an inventory of all the tools, staff, and resources they currently have. Then they should apply metrics to determine the amount of events launched against the enterprise that were risks versus the thousands of alerts and sensor events logged. This will aid in helping managers know what resources they have and how successful they were in mitigating attacks as well as the gaps. They can say 'here are the gaps in the mitigation of threats in the enterprise and here are the things I need to make it safer,' Boison says.


2.      Get Creative in Procuring New Technology, Resources: The security budget is a complete bill of materials of what you need to perform the security program, which includes equipment, software, people, training, maintenance, and perhaps, cloud computing approaches such as software-as-a-service and infrastructure as-a-service, says Frymier. “All that material fits into a taxonomy,” where it is either a capital expense – hard goods such as servers, software licenses and workstations – or an operating expense, such as people and their salaries, he says.  Cloud computing and a services-orientation are helping to move organizations toward operating expenses. Most accountants say this is a good thing.

Organizations are looking at creative ways of implementing new distributive technology via capitalized projects. For instance, the FireEye offers unique, advanced malware detection and remediation. Some accountants would say FireEye is a new business function and declare it a capital project, Frymier says. So all expenses associated with it (labor, equipment, software licenses and training, and implementation costs) could be spread out over three, five, seven years -- just like managers would do if they were buying equipment for a new factory. If security managers had decided to change their antivirus vendor from Symantec to McAfee, it is unlikely that can be called a capital project, because the company already had an antivirus function.

This type of accounting and budget detail can get arcane and technical people aren’t interested in it because it is difficult to understand.  “When I was first exposed to this concept it made no sense to me and I was unconcerned how things were accounted for,” Frymier says. “But as you move up through the management ranks, these things become more important.”


3.      Beware: Don’t Be Too Technology-Focused: Managers should not view the security budget as principally being about tools; people and talent play a big role in an effective security program, says Boison. Many CISOs focus on the latest tools and wind up bringing in another blinking box, he says. “More mature organizations are focused on leveraging and utilizing what they have.”  Managers here push systems and tools to their total functionality and only then add another tool. Tools bring complexity, which can lead to inefficiency in how the tool is implemented and run.

Frymier agrees. “The best way to blow your budget is to allow yourself to be sold a shiny bubble and not understand what goes along with the technology.” Often this can happen if managers aren’t identifying their requirements and going through a structured procurement process. Usually, this happens with executives who are not in security or IT, who purchase a tool thinking it is going to solve all of their security problems, he notes.


4.      Measure The Effectiveness Of Your Security Program: Security managers need some sort of measure of effectiveness to assess the totality and completeness of their organizations’ security program.  There are a variety of frameworks to help managers achieve this goal, says Frymier.  One in particular is the Cybersecurity Framework released by the National Institute of Standards and Technology in 2014.  The Framework has 98 security control objectives that security managers can use to rate their security program. “Using the four criteria [the Framework outlines] for each of those 98 security objectives, you can demonstrate to people where you may have strengths and weaknesses,” he says. “Then you can make business decisions about the value of strengthening areas where you are weak and make decisions about whether you are going to spend money on those areas or not. “


Related Stories:

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/30/2016 | 3:32:24 PM
4 Tips For Planning An Effective Security Budget
Thanks for sharing, really I learn so much with you guys thanks again
Sagiss, LLC
Sagiss, LLC,
User Rank: Strategist
4/28/2016 | 12:01:14 PM
Protecting Valuable Data
In addition to assessing what current security resources are in place and how effective they are, leaders should also determine what their most valuable information assests are so that they can focus on improving detection and response capabilities in those areas, rather than attempting to achieve 100% security, a lofty and impossible goal.  
User Rank: Apprentice
4/27/2016 | 5:19:02 PM
Bug Bounty Programs
I'd suggest Bug Bounty Programs as a fast and cost-effective way to get more eyes on your applications.  A company can try them for free.  77% of companies get results in 24 hours.  

(Full Disclosure, I work for one of the companies in th1s space but I loved bounty programs before that too :).

Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-02
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expecte...
PUBLISHED: 2020-12-02
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also ...
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...