So, how did you do this year with your security budget requests? And how does the plan look for next year? With information security representing a competitive arms race with the bad guys, you want enough funding to insure you are practicing commercially reasonable security, and to support mission critical business strategies.
Many organizations don’t know what a “normal” security budget really is. Some budgets draw down from the overall IT budget on an as-needed basis, while others fund security separately from the IT budget. Most consultants recommend that the security budget be evaluated as a percentage of the overall IT budget, which may mean massaging the numbers a bit. Generally, the surveys have shown averages in the 1-7% range. However, security spending varies widely by industry, geography, organizational size and security maturity level, so comparisons to other organizations usually are inexact. Also, political and cultural differences are factors. Some organizations are conservative in their approach, and may only buy proven, market-leading solutions through a primary vendor; others maintain “skunk works” where early-stage solutions can be tested.
Identifying the true pro forma security budget for planning purposes is difficult for a number of reasons. What’s included? Is business continuity planning for disaster recovery? How about security compliance and reporting? And how about IT-based physical security such as video surveillance or building access systems?
IT functions, including information security, may be highly distributed and owned by various departments or business units. For example, firewalls may be part of the networking budget. Managed security service provider fees are sometimes woven into the HR budget because outsourcing is seen as personnel additions. Security capital expenses are captured separately from operational expenses. And some security functions, such as desktop anti-malware, are bought by subscription, and may be paid out of the desktop support budget. IT staffers often work on security activities on an as-needed basis, making it difficult to accurately account for security personnel expenses and headcount.
Justifying a security budget may also be tricky. Information security covers three general and overlapping categories. First, there’s the protective and defensive tools such as firewalls, vulnerability management and anti-malware. Second, projects such as identity and access management and secure web development for e-commerce are business enabling and tend to be inclusive rather than defensive. Third are routine security operations such as security performance monitoring, business continuity planning and security patch management. The easiest to justify is protection because no one wants to be blamed for allowing the organization to be put out of business for even a short time, due to a denial of service attack. The best way to justify business enablement security elements is to link the project to cost savings or business initiatives that will increase customer satisfaction and user productivity. Operational expenses can be pitched as the cost of responsibly doing business.
Business units should include specific funding for security evaluation, testing and risk mitigation in all IT project requests rather than assume the security department will take care of it. Finally, when making budget requests, it’s a good idea to estimate the projected value for cost in terms of reduced risk, more efficient compliance reporting, or using projected measurable metrics such as reducing downtime by being able to mitigate attacks faster than before.
There are published surveys from Gartner and others on how much organizations spend on security as a percentage of the IT budget, in terms of cost per employee, by industry, company size and geography. There are also industry forums where CISOs can collegially gather peer expenditures. Projected spending outside surveyed findings may be reasonable, but should be evaluated to determine the reasons for the variance.
Many CISOs face pressure to cut spending. This leads to the game of asking for more than you need. But the more powerful way of justifying a budget request is to articulate that security represents a risk trade-off. When you cut back security, risk increases. Make sure that your organization’s business leaders understand and approve the risk trade-offs inherent in your budget, especially if you are asked to cut essential security processes or tools.