Budgeting weighs heavily on many of us, and there are two sides to the process. The first is how to convince management that budgets need to increase. The other, is how to budget for the unexpected, which in our world usually means some kind of security-related crisis.
Asking for an increase is tough in the best of times, and even more so when times are lean. But there are ways to craft your budget to ensure you can get more money.
Most of us got our bones in IT, and the typical way to do an IT budget is to list the products or services that you need. But a security budget should be more generic. It should be less about the product and more about the outcome, and how we provide strong security that supports a security culture.
That’s why I advise removing the technical levels. Put the numbers together, break them into categories and a hierarchy your CFOs can understand. Walk them through your process for requesting funds in a particular way and you’re likely to get zero pushback because you’re no longer asking for an increase. It’s the same budget, and the CFO understands that things always cost more each year, making the increase easily justifiable by the person approving the funds.
Create a budget line for the service you provide and how you’re going to innovate around that service. That language of positioning what you do as a service is key, because providing services comes with costs.
And these costs are quantifiable with data. Normally you can take most of what you provide as a service and apply things like inflation. The other piece should be around what you want to innovate around your service, like more training, or embedding a security culture in your organization. You might also want to spend to internally market what your department does inside the organization, to create some buzz.
That should be the easiest part of your budget. When your company knows what they’re getting, you’ll almost never get a no for that budget line.
The next line should focus on innovation. A certain amount of time should be spent on R&D for your teams so they keep their skills fresh, while thinking about new ways to provide security services.
The third line is what I call my basal operations line, because it sets the tone with my CFO that this is the money we absolutely must have. You need money to keep up licensing for EDR solutions, or for edge security devices, software maintenance, etc. Without these things, we don’t secure the organization. Basal operations are what you need just to keep the lights on, and this is how it should be positioned.
The fourth line is salary and talent expense, and that’s the line that gives everybody the most anxiety. If you want to increase staffing you need to increase this budget. CFOs need help getting their arms around what that means.
There are two ways to handle this. If you try to pretend there are no net new adds and just increase the budget hoping to squeeze out another salary or two, then you provoke a new question that typically gets your budget cut.
Instead, be upfront about what you’re doing and help the CFO understand how these new people support other items in the budget. Have a line item under your salary expense for your current employees, and a line item for budgeted new employees. For net new employees, it’s important to specify where they’ll work. Will they be part of the services team, or the R&D area, or the essential basal operations? The easiest way to justify talent to people who don’t understand what we do is to pin them into a budget item and say, I need to hire a new person to work on, say, basal operations.
Any good budget has another line item for discretionary. At a minimum this line should involve the cost of bringing in someone from outside for a breach. The tone is important here. Don’t tell your company it will never experience a breach. That’s foolhardy. Fires happen. Our No. 1 job is to prevent the entire house from burning down, and the organization for that happens in the budget. A mid-market organization should put aside $120,000 to $200,000 for this purpose. Cyber security insurance will help pay for a portion if not all of it, but it’s responsible to have money set aside because you get insurance money only after the fact. You’ll have a much easier time handling the incident if you’ve structured your budget for this eventuality.
Discretionary should also account for overruns that you can expect in other parts of your budget.
Discretionary funds also give you room to do things for your team. We talk all the time about how to keep talent happy. If you don’t take your team to a baseball game or a bowling alley, you’re failing. Those types of events are important to creating the type of camaraderie you want in an organization. They also set a tone that you’re all in it together. Creating that cultural aspect is extremely important.
The CFO wants to minimize spend to protect shareholder value, and as a technology executive, you have to be in tune with that reality. But when I hear my peers in the industry say things like CFOs want to spend as little money on security as possible, my response is, you haven’t shown enough value as compulsory to running a solid organization.
There are always budget lines that CFOs rarely question. They never question the marketing budget, for example. The security budget needs to work the same way. It has to be clear to the CFO that it’s a purpose-driven budget rather than a mechanical one.