When we talk about budgeting, there’s no exact science to quantifying risk or determining the likelihood of the threat materializing. Although there are some elements that we can quantify and qualify, there are so many unknowns. And because each organization is different, there can be no cookie-cutter approach.
The best we can do is make some educated guesses based on the type of industry and actors attempting against us, and then go with what we think is the best approach for our organizations. There’s no formula, because so much about budgeting is based on uncertainty.
The first premise that we have to build into budgeting is that you won’t be able to eradicate risk. It will be ever present because it evolves. You need to live with the fact that what you’re doing is to mitigate risk to the lowest possible level on the basis of what you know.
“What you know” is key here because you can never know with certainty how the security landscape will evolve. We have to be forthright with decision makers about the limitations of what we know.
So based on what you know, and on your understanding of your business, you have to establish communications with stakeholders about what you see potentially affecting the business, do a rough calculation of what this will cost the business, and then put forward a dollar amount that you think you need to protect your organization. You most likely will not get that amount, but at least you have a solid foundation for the calculation you’ve disseminated to stakeholders, and then you negotiate from there.
By educating the decision makers about the risks, you’ve put the onus of accepting or rejecting risk on them. You’ve educated and informed them of what the needs are, and then they decide what they’re willing to accept.
“Understanding the business” means two things. It means understanding what the enterprise does, and what things could potentially go bad. The second part is understanding how prevalent or pervasive the threats against that industry are. Financial institutions, critical infrastructure and healthcare are major targets. But you don’t hear about people trying to attack restaurants, because the financial motive isn’t there.
Once you’ve identified potential threats, you have to determine whether the cost of securing against all of them is worth it. Some coverage costs may outstrip potential damages. For the longest time, people opted for blanket coverage. But not all assets are critical. You need to know what’s worth protecting and what is not, otherwise the business will never make money.
To make budgeting decisions based on what you know, it’s essential to identify your assets. There’s no way to protect an organization if you don’t know everything an organization has. It’s like having 1,500 miles of border wall with a gap that you can drive a truck through. If your security metrics start with an inaccurate base, then the information that flows from that is skewed. And if you don’t have a clear picture of what you have to protect, your budget request will rest on rocky ground.
We have to be forthright with decision makers about what we know and do not know. We need to build the relationships and trust links with different stakeholders in the organization so we’re comfortable presenting the best information we have to get the best budget possible. At the same time, we do not want to create a false sense of security. It’s important to make disclaimers.
If you aren’t candid, people will put your feet to the fire, especially these days, when you may be liable as a chief information security officer if you don’t get information out. And most important, you’re putting your organization at risk by not doing so.