Organizations are looking for things to cut, but security can’t be one of them. Here are four steps for securing the budget needed to protect the business.
by Tanya Candia
Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.
Budgets for security have always been tight, yet the need for security doesn’t stop growing. Today, the budget situation has become even more difficult as companies continue to feel the effects of the economic downturn: Businesses are looking for ways to cut costs, and security budgets are not immune.
It’s no surprise that most budgets have been negatively impacted by COVID-19. In fact, Gartner estimated a substantial slowing of security spending in 2020, with Lawrence Pingree, managing partner, predicting in a press release “a pause and a reduction of growth in both security software and services.” At the same time, 40 percent of businesses told Barracuda Networks in May that they reduced their security budgets.
After several years of focusing on growth and innovation, the pandemic has forced IT security leaders to narrow their sights to mission-critical initiatives. But with twice as many people working from home as before, security teams must confront increased risk.
Remote malware, man-in-the-middle attacks, phishing and widespread use of BYOD all mean that remote workers pose added risk to the enterprise.
Staff layoffs to cut costs have far-reaching effects, including fewer support personnel who could otherwise help mitigate increased risk. Seasoned security personnel are difficult to find, hire and retain at the best of times, and filling gaps will become even harder in the future.
Why Security Is a Strategic Investment
The struggle for security budget highlights the disconnect between security teams and top management. Security has long been viewed as an unavoidable cost center. Security teams communicating with executives highlighted how many vulnerabilities were remediated and how many patches were installed, but have often failed to convince top management of the need for (and value of) security.
In fact, security is a strategic investment that reduces corporate risk, helping the organization reach its business value goals. The steps below will help IT security professionals build a strong argument for increased security budgets.
Step 1: Look at the Business First
Instead of starting with threats or the systems in place, look first at the business: What are the organization’s most important strategic initiatives? What are the critical supporting processes that need protection from threats? Which processes generate value? Consider consulting with business peers to better understand the financial aspects of given initiatives.
Step 2: Quantify the Risk to Your Organization
Next, determine which resources would be affected by security threats. How much of the business would be impacted by an interruption? Would 10 or 25 percent of revenue be threatened? More?
What if an asset were unavailable for an hour, a day or a week? What secondary impacts might accrue from that? Would there be a regulatory impact or potential fines? Damage to the brand? An impact on the stock price?
For each of the most important initiatives, processes and assets, could security have an impact on their success? Look at what threats exist — threat intelligence feeds can help here — and determine how likely they are to pose real risk to the confidentiality, integrity or availability of critical systems. It doesn’t hurt to think like a hacker: which assets (intellectual property, customer base) or processes (sales, finance, human resources) would the hacker target, and why (monetization, disruptions, etc.)?
Step 3: Quantify the Value of Security
To assess the risk for each important initiative or process, simply multiply the total impact of the vulnerability by the probability of a threat exploiting that vulnerability. A risk matrix can help to prioritize risks by showing potential damage compared to the probability of the risk occurring.
For assets or processes where the both the risk and the probability are high, identify the controls in place to reduce the likelihood or mitigate the risk. How good are they? What is the current mean time to detect a threat? Calculate in dollars the value of a speedy response that reduces the business impact of data exfiltration or other security breaches. Look to public data, such as the VERIS (Vocabulary for Event Recording and Incident Sharing) framework, to build a baseline of metrics, such as:
- Time from compromise to discovery (dwell time)
- Time from initial alarm to triage
- Time to close an incident
You can then measure your performance against that of peers via the annual Verizon Data Breach Investigations Report.
Step 4: Prioritize Your Security Efforts
Evaluate whether better tools, process changes, increases in staffing or training could reduce the response and resolution times. If so, you can now measure and communicate the dollar value of that difference while pushing for an increase in the budget.
When looking at areas that can present clear value, don’t overlook tools that can help automate processes and tools to help understand the risks in the new world of remote work.
Another area for examination is up-to-date threat intelligence sources: Use your work or social connections to explore best practices and optimal resources. Finally, consider outsourcing, especially where internal expertise is lacking.
The decision-makers for increasing budgets reside in the executive suite, where the language of communication is value. By discussing the value security brings to the organization in supporting critical initiatives, as well as in avoiding the risks and accompanying costs of a breach, the security team can make a strong case for increasing budget to help achieve the strategic goals of the organization.