- Phil Venables
Security Budgets - Supply and Demand Thinking
How you obtain and manage a budget to drive an adequate level of security is immensely important. Yet, it is one of the least discussed aspects of security. It is not often mentioned at conferences, in courses, or even in many of the “CISO guides” and risk management books out there. The nearest discussions to budgets I’ve found are in the context of risk quantification, specifically does the cost of risk mitigation stay within the bounds of expected loss. However, these approaches then don’t factor in the operational planning and budgeting needed to run an enterprise-wide security program. The challenge of any security leader is to obtain and sustain the necessary budget to stay within agreed risk tolerances, to spend that budget effectively and efficiently and to use it not just for risk mitigation but to also generate adjacent commercial benefits for the enterprise. At one level of abstraction this is not a hard problem, you just count up what you need, ask for it, then spend it. However, those of you that have done this know that it is far from that simple and is as much art than science. One technique I’ve used and seen used effectively over the years is to think in terms of supply and demand.
You have a set of demands on your team. This might not just be your team, depending on how you are organized it could be the whole enterprise’s spend on security from the CISO function, to embedded Business Information Security Officer roles through to specific engineers working on security in product teams [incidentally, this is why you should never believe the nonsense of budget benchmarks unless you are working on a common definition of security expenditure - which nobody ever does]. These demands could be to work on reviewing and mitigating risks on new business products, new projects, handling vulnerabilities, investigating potential incidents, dealing with acquisitions/divestments, onboarding new vendors or new technologies and so on. Then, you have a supply of resources and capabilities to meet those demands, which could be people, services, products or other expenditure. The goal, naturally, is to balance supply and demand. The problem is we live in a world in most organizations where the demand is outpacing supply, because of business growth, IT changes, supply chain complexities, new threats and vulnerabilities and myriad other drivers. Even if we could continuously increase budget without limit it is not always clear we even have the ability to then turn that budget into the actual supply (of people, services and products) needed to meet the demand. Instead, we have to look at all sides of this problem:
Demand Side Management
1. Decrease the demand by adjusting risk appetite to redefine what you believe is important and hence where you should focus. You will inevitably have an approach to prioritize work on your most critical assets and business services (although take care not to ignore other approaches to do this). You could reduce demand by tightening the definition of what is critical and therefore in scope of many of your security programs. This will need to be done under the supervision of your Board or Executive Risk Committee and should be accounted for in your risk ledger just as much as any potential risk acceptance of mismatched supply and demand.
2. Decrease the demand by the wholesale elimination of risk. This form of risk avoidance is an underrated technique where you can potentially remove certain business services, products, vendors, or whole classes of technology. This is not necessarily easy but should be a part of the budget conversation and in my experience yields some of the most interesting tradeoff debates. For example, consolidate supply chains or even reduce the inherent risk of vendors by sending them less critical information and figuring out ways to operate their services in that way. Similar approaches can work internally, I’ve seen many organizations reduce the demand side of how many privacy critical systems they have to protect by removing privacy critical data and consolidating that in a smaller number of better protected places.
Supply Side Management 3. Increase resources. The default and easiest to contemplate is to just ask for more budget to spend on more people, services or products. Many organizations focus simply on this step without looking at the demand side or the alternative supply side approaches. This is when security budgeting becomes and remains painful. 4. Increase resource efficiency. Now, this is where things get business-like and actually quite fun. Look at the means by which you can increase the supply of capability to meet demand by increasing the leverage of the resources you already have. This could be through scaling processes better, increasing the basic training of all employees, implementing tools / toolkits for people to use, embedding security in opinionated platforms to raise the baseline by reducing the cost of control. This can also include leverage for the security team by automation and orchestration tools and better communication of architecture patterns to reduce the effort needed on design reviews.
Risk Acceptance 5. Consequences of supply side deficit. If you fundamentally can’t balance supply and demand then you have a supply side deficit to deal with. This results in one or more management sponsored risk acceptances. This is a critical part of this process. To be blunt, there’s no magic here, you either have the supply to meet your demand or you build up some risk deficit that needs formally accepting (and possibly hedging in some way). You need to avoid having implied risk embedded in the budget process that doesn’t make it to your risk ledger. Encoding this in your risk ledger and then managing it in a lifecycle is crucial. The interesting aspect of this approach is you can then look at this over multiple years and see how much of those year-on-year risk liabilities are being built up that need to be matched with “assets”in various ways.
All of this needs to be managed down at some point and that past accumulation should become a major discussion point in each fresh annual (or quarterly) budget cycle. It could even be that one year your supply exceeds demand, in which case that frees up capacity to pay down prior years' accumulated risk or return some budget.
Bottom line: think of security budgeting as a supply and demand problem. Work both supply and demand to make your budgeting process a risk management exercise. Even if you don’t formally present things this way, the process will bring clarity of thought and it illustrates to your business that you are thinking commercially about how to reduce the relentless march of the ever increasing security budget.