The cybersecurity threat landscape is constantly changing, and new attacks and threats appear frequently. This can make it hard to plan for the future when doing budgets and making requests for funding to the C-suite. Budgeting is challenging, even in areas where things are relatively stable from year to year. Cybersecurity is not stable, as the last few years have demonstrated.
Everybody who has been through a budget cycle has made mistakes. Sometimes you don't ask for enough resources to cover the events that occurred, and sometimes you wish you'd asked for something else, as hindsight is a great planning tool!
Still, experience shows that there are ways to plan for and budget future cybersecurity spending to deliver the best outcomes and deal with the unexpected. On the 21st of October, we held an expert-led webinar plus Q&A called 2022 Cybersecurity Budgeting - How to Make The Right Requests. In the webinar, Mike Hamilton (Founder and CISO of Critical Insight - LinkedIn) discussed good cybersecurity budgeting practices with Michael Sloon (IT Director for the City of Spokane - LinkedIn). Jake Milstein (Chief Marketing Officer at Critical Insight - LinkedIn) moderated the discussion.
During the webinar, the participants outlined how to rethink your security priorities to match today's threat environment and how to explain the budget required to Executives who don't understand InfoSec. Anyone can view the webinar below or on the Critical Insight YouTube Channel.
Key Takeaways from the Webinar
You should carve out an hour of your time to watch the embedded video to get the full picture from the webinar and the excellent Q&A session. But for those looking for it, here is a summary with the key takeaways.
Use an Assessment Framework
The best way to structure cybersecurity planning and the budget required to deliver it is to use an assessment framework. Doing this provides a structure to the process that everyone working in the area will recognize, plus it leads to outputs that identify what needs doing and in what order they should be addressed based on the priority of any risk.
There are many frameworks available that organizations can use. Some are more complicated than others. At Critical Insight, we tend to use the NIST Cybersecurity Framework in most assessments. It is detailed enough for most organizations without being too complex and unwieldy for real-world use.
The assessment process will measure existing systems and security provisions against the framework to identify what's on the network and the state of cybersecurity. This assessment process will produce a report with any gaps identified.
The gaps found are grouped into a corrective action plan that prioritizes them and outlines the optimal order for addressing them during the forthcoming budget cycle. Identifying what is needed and estimating the costs over time will provide a core part of the final cybersecurity budget request.
The corrective action plan is a document that shows the gaps in the current cybersecurity provision, what is required to close each gap, how severe the risk is, and what it will cost in both CapEx and OpEx to address the issue. This document is very useful on multiple fronts — for convincing internal executives on the required budget and showing auditors that there is a costed plan to address cybersecurity gaps. With both Federal and State funding becoming available to enhance cybersecurity in public bodies, organizations can also use the report to support applications for grant funds.
Identify Repeating Management Activities
Cybersecurity budget requests need to include the ongoing activities that occur weekly, monthly, quarterly, and annually. These ongoing costs come from human resources, management, and technical outlays. Typical examples of items are in the table below:
Information Security Governance and Management Framework
Meetings (change control, InfoSec, Governance, etc.)
Review vulnerability assessment results, assign disposition and delegate
Access authorization management reviews.
Firewall rules review
Conduct Security Governance Committee meeting
Consulting Project Management
Record keeping (e.g. security testing results for products in use)
Perform 2 of the annual requirements
Security Awareness Training / Attestation
Planning meetings for upcoming monthly, quarterly, and annual requirements
Corrective action board; InfoSec ritual
Report to Executive Governance Committee
Tabletop of functional security exercise
Conduct Vulnerability Assessment
All of these ongoing and essential items need to have budgeted costs against them. These costs will be a combination of both internal resources and external cybersecurity providers. For example, penetration testing needs to be done by an external body, but at the same time, there will need to be internal resources available to work with the testers and action their recommendations.
Plan to Address Discovered Issues over the Budget Cycle
The gaps discovered and the ongoing costs to manage cybersecurity delivery will combine to give the budget required over the request cycle. In many public sector organizations, the budget cycle is a two-year period.
The prioritization of any gaps discovered and the risk rating applied to them will govern how the budget gets spent during the cycle. It's unfeasible to try to address everything discovered at once. Organizations should address urgent items within the first six months of the cycle, then they should address medium risk items in the mid-period, with the lowest risk gaps addressed over the whole budget cycle period as resource availability allows.
Not to belabor the point, but do try to find the time to watch the 1-hour webinar. It'll be an hour of your time well spent. The information you get from it will set you on the right path for a process that delivers the information and report you need to make your budget request easy to sell to managers. It will also allow you to demonstrate that you have the provision of cybersecurity and improvements over time front and center in your planning and budget requests.