Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long haul of the annual budget process to seek the resources you need for your 2024 goals and, perhaps more importantly, to ensure that all the teams around your organization have the planned resources (people and budget) to do all what they need to do.
This is one of the core disciplines of security leaders at all levels from sub-team to the whole organization. Yet, I’ve found it is one of the least discussed aspects of security. It is not often mentioned at conferences, in courses, or even in many of the “CISO guides” and risk management books out there. The nearest discussions to budgets I’ve found are in the context of risk quantification. Specifically, does the cost of risk mitigation stay within the bounds of expected loss. However, these approaches then don’t factor in the operational planning and budgeting needed to run an enterprise-wide security program - that could be a very interesting efficiency ratio, the ratio of program expense vs. direct risk mitigation expense.
The challenge of any security leader is to obtain and sustain the necessary budget to stay within agreed risk tolerances, to spend that budget effectively and efficiently and to use it not just for risk mitigation but to also generate adjacent commercial benefits for the enterprise. At one level of abstraction this is not a hard problem, you just count up what you need, ask for it, then spend it. However, those of you that have done this know that it is far from that simple and requires an often arduous process of working across multiple stakeholders, multiple business units/product teams as well as across the CEO, CFO and others.
For most organizations it is naive to think (as some commentators would have it) you go to "The Board" and they get you a "Bunch of Cash" and then you go execute. If only Boards actually worked like that and cash was all you needed. Similarly, going to "The Board" and getting a "Bunch of Commitments" ends up with a "Bunch of Unfunded Mandates" which are of little use to anyone.
Most of the work of budgeting is essentially translating risk themes into strategic plans, into tactical execution mapped across your central security team, federated teams and line of business teams. Sometimes these will be uniquely funded items but often will be incremental or allocated funding within other major projects or ongoing activities.
Inside all these approaches the one technique I’ve seen used effectively over the years is to think in terms of supply and demand. Even if not done literally, then thinking this way leads you to be more commercial in how you request resources and as a side-effect of that means you will be more likely to get what you need as other executives in your company will see you as a trusted custodian of resources. This is where you want to be, to have a reputation that every $ or person you get is highly leveraged to protect or add to the organization’s bottom line or mission outcomes.
So, let’s look at security supply and demand.
You have a set of demands on your team (or programs / projects). This might not just be your team, depending on how you are organized it could be the whole enterprise’s spend on security from the CISO function, to embedded business line Information Security Officer roles through to specific engineers working on security in product teams. These demands could be to work on reviewing and mitigating risks on new business products, new projects, handling vulnerabilities, investigating potential incidents, dealing with acquisitions / divestments, onboarding new vendors or new technologies and so on.
Then, you have a supply of resources and capabilities to meet those demands, which could be people, services, products or other expenditures. The goal, naturally, is to balance supply and demand. The problem is we live in a world in most organizations where the demand is outpacing supply, because of business growth, IT changes, supply chain complexities, new threats and vulnerabilities and a myriad of other drivers. Even if we could continuously increase the budget without limit it is not always clear we even have the ability to then turn that budget into the actual supply (of people, services and products) needed to meet the demand. Instead, we have to look at all sides of this problem:
Demand Side Management
1. Decrease the demand by adjusting risk appetite. Redefine what you believe is important and hence where you should focus. You will inevitably have an approach to prioritize work on your most critical assets and business services (although take care not to ignore other approaches to do this). You could reduce demand by tightening the definition of what is critical and therefore what is in the scope of your security programs. This will need to be done under the supervision of your Board or Executive Risk Committee and should be accounted for in your risk ledger just as much as any potential risk acceptance of mismatched supply and demand.
2. Decrease the demand by the wholesale elimination of risk. This form of risk avoidance is an underrated technique where you can potentially remove certain business services, products, vendors, or whole classes of technology. This is not necessarily easy but should be a part of the budget conversation and in my experience yields some of the most interesting tradeoff debates. For example, consolidate supply chains or even reduce the inherent risk of vendors by sending them less critical information and figuring out ways to operate their services in that way. Similar approaches can work internally, I’ve seen many organizations reduce the demand side of how many privacy critical systems they have to protect by removing privacy critical data and consolidating that in a smaller number of better protected places. Wholesale investments in technology modernization, attack surface reduction or the embedding of security components in widely used frameworks coupled with the take up of those frameworks can reduce demand on security resources. Yes, it will take funding to do this which would appear on the supply-side, but it can then be justified that the long term demand-side reduction makes that a dramatically positive return on investment.
Supply Side Management
3. Increase resources. The default and easiest to contemplate is to just ask for more budget to spend on more people, services or products. Many organizations focus simply on this step without looking at the demand side or the alternative supply side approaches. This is when security budgeting becomes and remains painful.
4. Increase resource efficiency. Now, this is where things get business-like and actually quite fun. Look at the means by which you can increase the supply of capability to meet demand by increasing the leverage of the resources you already have. This could be through scaling processes better, increasing the basic training of all employees, implementing tools / toolkits for people to use, embedding security in opinionated platforms to raise the baseline by reducing the cost of control. This can also include leverage for the security team through automation and orchestration tools and better communication of architecture patterns to reduce the effort needed on design reviews.
5. Consequences of supply side deficit. If you fundamentally can’t balance supply and demand then you have a supply-side deficit to deal with. This results in one or more management sponsored risk acceptances. This is a critical part of this process. To be blunt, there’s no magic here, you either have the supply to meet your demand or you build up some risk deficit that needs formally accepting (and possibly hedging in some way). You need to avoid having implied risk embedded in the budget process that doesn’t make it to your risk ledger. Encoding this in your risk ledger and then managing it in a lifecycle is crucial. The interesting aspect of this approach is you can then look at this over multiple years and see how much of those year-on-year risk liabilities are being built up that need to be matched with “assets” in various ways. Few organizations do this, but it s interesting that some do.
All of this needs to be managed down at some point and that past accumulation should become a major discussion point in each fresh budget cycle. It could even be that one year your supply exceeds demand, in which case that frees up capacity to pay down prior years' accumulated risk or maybe even return some budget.
Bottom line: think of security budgeting as a supply and demand problem. Work both supply and demand to make your budgeting process a risk management exercise. Even if you don’t formally present things this way, the process will bring clarity of thought and it illustrates to your business that you are thinking commercially about how to reduce the relentless march of the ever increasing security budget.