At this time of year the vexing challenge of trying to establish the appropriate IT security budget for next year rears its ugly head. The chief information security officer has to keep enhancing the security services portfolio capabilities and at the same time maintain his budget spending on people and vendors.
This is a challenge I’ve had to deal with in my time as a chief information security officer and as an advisor helping organizations build or rebuild their security programs. The challenge is that there is no easy formula that helps explain how much money should be allocated to a security program, and then there’s the additional challenge that many of the IT groups and business owners have a problem understanding why they need to continue to invest when the security incidents still continue to appear. Or you have the perverse situation where you have had no security incidents.
Unfortunately, there is no easy answer to explain how much money or resources should be invested in the team that is tasked with the job of protecting the IT infrastructure and the business against all those malicious hackers and attackers.
What I can do is provide some guiding principles that I have found helpful when explaining why I needed to invest in resources or continue to spend money on an existing security service.
The first approach is to leverage market statistics around average percentages of IT security spending and then use that as your benchmark to justify your budget. I have typically found that between 5% and 17% of IT budgets are allocated to the work of IT security. Why the variation, you might ask?
It depends on the following characteristics:
The industry you’re in.
If you’re in a high-risk industry, where the organization is dealing with highly regulated, sensitive information, then the financial and personal impact to the business and the executives can be immense. They traditionally have the highest spending rates. Industries that are less reliance on IT to be a service delivery differentiator tend to have the lowest budgets.
Incidents
Another factor that can influence the security budget is whether or not you have any serious incidents. Usually in those situations, you are given the support of executives who want to see results and no more incidents.
Maturity
Another factor that should influence your security budget is the maturity of your service portfolio. I always think of the security program is a series of services that helps the business protect itself against human error and malicious activities. Notice I use the word help. In the end, whether we call it enforce or provide, it is the executives and business owners that define how well we can protect them. So if you haven’t had serious investment in your security infrastructure and you know that the longer you wait the more you risk errors, then you are facing one of the most difficult challenges: justifying the security investment that the company will not be realizing is required keep them in business. In this situation, you don’t have to have anecdotal data or external expertise to help justify your arguments. You need to demonstrate how this is paramount to protecting the business, and beyond that, how it can enable the business to continue to be profitable, protecting its customers and services, and hopefully enabling innovation and growth.
Change
One of the positive benefits of my experience of being chief information security officer for multiple companies is knowing which factors affect the size of your security team, and the size of the organization you’re protecting. Ironically, they don’t always appear to be connected. For example, when I was protecting a Fortune 500 organization, I had a team of about 50 people reporting to me directly. There were auxiliary groups that were involved in delivering my portfolio security services, where I engaged them as a service provider and thus did not include their head count. For a much smaller organization, my team was twice the size of the Fortune 500 security team. The factor that most appears to impact the size of security teams is not the size of the organization, but the amount of change that has been implemented to create a new revitalized security program presence.
I hope this guidance helps to develop the right mindset for building a security budget. Good luck!
Paul