No Money, No Business! Formalizing Your Cyber Budget to Achieve Success


How much does that cost? 


The last words before the CFO walks you out of their office with a look of disdain! You sigh to yourself and head back to your corner in dismay! The cyber budget has been shot down for the umpteenth time, and you're having a hard time wondering why. 


Is there anything that we as technologists overlook during these requests? How can we improve? 


Let's think through the topic and reach some valuable conclusions.


Why is it essential to have a formalized information security budget?


Plainly put, a formalized budget is the cornerstone of any business function within your organization. 


Why? 


The number one risk to any business is cost. Without the efficient management of resources, there will be no going concern [Business]. 


Another reason we should develop a formalized budget is the need to provide traceability of our activities to the Core Business. 


How much money are we spending on personnel, and what task are they performing? If we have procured tools for our personnel to do their job, what is the cost of ownership, and are there any ongoing maintenance and training costs? 


When this level of detail or more is created, we can begin developing a look-ahead analysis. The look-ahead analysis will allow us to identify potential areas for improvement relating to Cyber Operations.


Wouldn't it be awesome to walk into the office of the CFO to explain areas that you have identified where you can potentially cut or cap your expenditure? Doing so creates allies in the C-suite, which will allow you to gain champions for budget requests in the future.


What are the main costs that cybersecurity leaders need to track? 


As a supporting function, cybersecurity needs to focus primarily on the following forms of cost:


Operational Expenditure: An Operating Expense (OpEx) is an expense a business incurs through its normal business operations


Capital Expenditures: Capital expenditures (CapEx) are funds used by a company to acquire, upgrade, and maintain physical assets such as property, plants, buildings, technology, or equipment. 


Outsourcing Cost: Cost associated with hiring a party outside a company to perform services or create goods traditionally performed in-house by the company's employees and staff. 


We should always be looking to reduce or maintain our OpEx as cybersecurity professionals. 


Why? 


Because anything else would be like buying a lock for your front door with the thought you're going to have to replace the component every year to keep your home safe. 


Of course, there are smart locks for our homes that integrate into mobile devices and can be piloted over the web. The challenge is that most people are satisfied with the protections provided by an old-fashioned deadbolt and would update kitchen cabinets rather than replace their locks! 


The same train of thought runs through the mind of an executive that has any number of competing costs that they must consider during the fiscal year. They will almost certainly ask at minimum one of the following questions? 


  1. What are we doing today to provide this security function?
  2. What is the cost of today's functionality? 
  3. What will be the cost of the future state of this security function if funded? 
  4. Are there any benefits that this new solution will provide beyond today's current implementation? 


These questions are not all-inclusive but note that executives are pretty creative when trying to cut costs. That's why they are at the helm of the Business! Support their needs, and you will gain the support you require in time! 


How should we communicate cost to Business Leadership? 


When bringing a cost to leadership, be aware that their questions will stretch across operational and capital expenditures. 


For instance, let's say your suggestion is to procure a Security Information and Event Management solution to provide log auditing and event management for the Businesses' critical systems. During your analysis, ensure that you consider the following cost: 


  1. Procurement Cost to include acquisitions
  2. Deployment Cost
  3. Maintenance and Training
  4. Ongoing Cost [ Integration of new systems and applications ] 
  5. Monitoring and Analysis 


After reviewing all of these costs, tally up the total and put on your helmet. 



You're going to need it! 


Before approaching the cost managers, be sure that you have an answer to all of the questions stated before. Note that all of the answers should be clear and concise. Also, the cost should be aligned back to one or more Core Business objectives. 


For instance, let's say you work for a major healthcare company that has access to clients' Personal Health Information (PHI). You could then tie the SIEM cost back to providing visibility into systems responsible for storing, transmitting, and or managing this information.


Doing so would add value to the organization by providing auditing and accountability, which is needed during audits. Also, the SIEM functionality could be used to establish trust with other organizations, potentially leading to business expansion.


One last thing! 


I would be remiss if I did not mention that any respectable cybersecurity leader should offer a series of alternatives to the cost manager during any budget modification request. 


We are well aware of trade-offs and the idea that risk management is just the management of a series of choices. 


Auditing and Accountability (A&A) of the systems that process PHI data might be obligatory depending on the regulatory body, but their requirements are never prescriptive. 


In other words, the regulator will never specify how an entity must comply with the regulation, only that they must look to do so! As a result, you should give leadership different options that achieve the same objective specifies cost. Doing so communicates to leadership that there is a 'need' for A&A functionality, not the SIEM solution itself. 


In Conclusion


The topic of cybersecurity budgeting is expansive. I've knowingly just scratched the service, but I will revisit the issue to have a more detailed conversation in later writeups. 


For now, I would like to hear from you! 


How have you addressed the topic of budgets, and what tactics have you used to get initiatives approved by leadership within your organization? 


Let's continue to discuss, and bring Business and Cyber full circle! 










Assessing Cyber Risk The Right Way!

By Gideon Israel April 17, 2022
There is a wrong way to do everything!

What is Cyber Risk?

By Gideon Israel April 17, 2022
Cyberspace todays battlefield?

Can Cyber Risk Be Insured Away?

By Gideon Israel April 17, 2022
Is cyber insurance being used as a catchall solution?

What Is The Best Way To Establish A Cyber Risk Profile

By Gideon Israel April 10, 2022
Build and maintain an accurate risk profile that keeps business FIRST!

Can You Automate Cybersecurity?

By Gideon Israel April 10, 2022
Automate cybersecurity! Sounds easy doesn't it?

Use Approved Frameworks to Build your Cyber Program

By Gideon Israel April 10, 2022
Frameworks help to give cybersecurity leaders a frame of reference that is industry approved!

The Devil Remains in the Details [A Rant]

By Gideon Israel April 10, 2022
Take notice all professionals to include Cyber!

How does Cyber Impact Business

By Gideon W. Israel March 16, 2022
How Cyber Impacts Business, and Can We Expect any R.O.I?