Handling an information security (InfoSec) budget is not an easy task. Most InfoSec departments operate under very tight budget constraints.
The challenge is to find the right balance between overspending and underspending.
Budgeting for InfoSec is a highly difficult exercise:
- A broad range of stakeholders may be involved, not only IT and information security people but also business lines, data privacy, legal, communication, HR departments.
- Various topics are to be embraced, from Governance, Risk, Compliance to operational core capabilities
- To complicate matters, future needs are uncertain: every year or more frequently, there are new threats, new technologies and often, new regulations requirements
Unexpected surprises can derail even the most well thought out budget.
Forecasting and budgeting for security is all the more difficult that unexpected expenses due to evolving security threats and compliance requirements are common within InfoSec, but also due to increasing unexpected data breaches or information security incidents.
When will your next data breach happen? It’s not a question of if but when!
The strategies for dealing with these unexpected expenses or emergencies (e.g. new threats, new technologies, new regulations or data breaches) may vary widely across enterprises:
- Some CISOs enjoy padding the budget for worst case scenarii and shift funds based on the needs of the business
- Others CISOs create an entirely separate and dedicated budget for emergencies
- One alternative and innovative approach to funding emergencies is to get the department or the business line that caused the emergency to pay for it
- If they have subscribed a cyber insurance solution, CISOs and their firms may claim compensation for damages
Otherwise, if you are lucky, money just seems to appear whenever it is really needed.
Emergencies may be really interesting because if a true emergency occurs, money and resources appear out of nowhere. In day-to-day activity, CISOs are being told there are no resources or money. But if it’s an emergency, it just kind of happens. It’s not really a funding process; it’s more about getting it done and correcting whatever needs to be corrected.
Whatever the approach, the InfoSec department should be seen as a Business Unit, and therefore, every CISO should establish a clear and shared strategic plan.
Such a s strategic plan has to cover three main objectives:
- Answer to the Corporation strategy and business lines’ requirements
- Improve the overall resilience of business lines and IT infrastructures
- Control the costs
This strategic plan should be regularly updated, providing a P&L and balance sheet views.
It will bring more attention from the Board and the business owners, and with that will come more resources for InfoSec.
By François Gratiolet, Founder and Managing Partner of Business Digital Security Advisory, a strategy consulting firm that focuses on the fields of cybersecurity and digital, based in Paris, France.
The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.