12-29-15 | Blog Post
Managing an IT security budget effectively is getting more and more complex every year. The pressure for showing return on every IT spend is as strong as ever, and cybersecurity budgets are not immune to those pressures. Understanding how to include a return calculation in that cyber security budget pitch can make or break the approval.
The challenge begins when you request badly needed increases in cyber security only to be told, “There were no incidents last year, so why am I spending this money in the first place?” Cyber security spends often do more to protect than increase revenue. You are effectively buying silence, which means it can be hard to identify the real return on that spend.
As a CEO, if I’m going to spend more money next year, I better know why. So whether you are struggling with your pitch, you’re ready to present or still putting together your budget, here are my top two tenets of evaluating a security spend:
Preferably, the budget should touch more than one of these aspects at a time, and the spending should be equally distributed among each of them.
Boards are waking up to the value of their data and the cost to their brand when breached. It’s important to frame cyber security threats in that context for them.
When it comes to describing the return, is it sustainable? Will this protect me in the future or only until the next new threat comes out? For example, some process changes will help regardless of specific security threats or hacks, while certain technology only focuses on a specific aspect of security. Log Review, where logs are regularly reviewed by heuristic algorithms and people to identify issues quickly, is a good example.
This should give you an idea of how to structure a successful proposal. Remember, these are just some of the things I look for—there are many other components to putting together a successful security budget.