Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:30 PM
Connect Directly

4 Tips For Planning An Effective Security Budget

Security budgets start with managers assessing all of their resources and measuring the effectiveness of their security programs for strengths and weaknesses

Where does the information security budget reside and who owns it? That's an ongoing debate as organizations allocate resources to protect critical assets in a dynamically changing technology and threat environment.

In many organizations, chief information security officers report to the chief information officer, because security operations and budgets are part of the IT department. According to the Ponemon Institute’s 2015 Global Study on IT Security Spending & Investments, only 19 percent of the surveyed respondents say the IT security leader has control over how resources are allocated. Instead, the budget is in the hands of the CIO or Chief Technology Officer and business leaders.

This suggests the importance of security leaders learning how to influence these senior executives if they are going to change how budgets are allocated, according to the report. Ponemon surveyed 1,825 IT management and IT security practitioners in four global regions for the report.

There are a lot of similarities between the security and IT worlds, as both are part of a rapidly changing landscape witnessing the rise of technologies and services like cloud computing, mobility, software-as-a-service, and virtualization, says David Frymier, CISO of Unisys. “The security budgeting is similar to what is going on in the IT world,” he says. 

But he also notes that there are conflicts of interest between the two functions, and some security practitioners and experts are making a case for the separation of the disciplines. In some cases, CISOs are reporting to chief risk officers or chief compliance officers.

At Unisys, security is part of IT, and the actual budget number is held at a very high executive level. The CIO has a budget number that is part of the corporate financial plan. The details of that budget aren’t farmed out to managers that report to the CIO in any sort of hard and fast manner, Frymier notes. Instead, the managers have a plan and an outlook, and progress against the plan is measured on a monthly basis.

“Things change on a very fluid basis all year long,” he says. Even though something has been in the financial plan at the beginning of the year, when it comes time to actually spend the money on it, a business case needs to be made again within the existing context. There might be other priorities or the issue is not as acute as it might have been at the beginning of the budget process, he says.   

For those security managers looking for ways to help their organizations plan an effective security budget, Frymier and Greg Boison, director of homeland and cybersecurity at Lockheed Martin, shared some advice: 


1.      Assess and Inventory Current Resources: “Security budgets start with baselining what you have,” says Boison. Security managers have to properly conduct an inventory of all the tools, staff, and resources they currently have. Then they should apply metrics to determine the amount of events launched against the enterprise that were risks versus the thousands of alerts and sensor events logged. This will aid in helping managers know what resources they have and how successful they were in mitigating attacks as well as the gaps. They can say 'here are the gaps in the mitigation of threats in the enterprise and here are the things I need to make it safer,' Boison says.


2.      Get Creative in Procuring New Technology, Resources: The security budget is a complete bill of materials of what you need to perform the security program, which includes equipment, software, people, training, maintenance, and perhaps, cloud computing approaches such as software-as-a-service and infrastructure as-a-service, says Frymier. “All that material fits into a taxonomy,” where it is either a capital expense – hard goods such as servers, software licenses and workstations – or an operating expense, such as people and their salaries, he says.  Cloud computing and a services-orientation are helping to move organizations toward operating expenses. Most accountants say this is a good thing.

Organizations are looking at creative ways of implementing new distributive technology via capitalized projects. For instance, the FireEye offers unique, advanced malware detection and remediation. Some accountants would say FireEye is a new business function and declare it a capital project, Frymier says. So all expenses associated with it (labor, equipment, software licenses and training, and implementation costs) could be spread out over three, five, seven years -- just like managers would do if they were buying equipment for a new factory. If security managers had decided to change their antivirus vendor from Symantec to McAfee, it is unlikely that can be called a capital project, because the company already had an antivirus function.

This type of accounting and budget detail can get arcane and technical people aren’t interested in it because it is difficult to understand.  “When I was first exposed to this concept it made no sense to me and I was unconcerned how things were accounted for,” Frymier says. “But as you move up through the management ranks, these things become more important.”


3.      Beware: Don’t Be Too Technology-Focused: Managers should not view the security budget as principally being about tools; people and talent play a big role in an effective security program, says Boison. Many CISOs focus on the latest tools and wind up bringing in another blinking box, he says. “More mature organizations are focused on leveraging and utilizing what they have.”  Managers here push systems and tools to their total functionality and only then add another tool. Tools bring complexity, which can lead to inefficiency in how the tool is implemented and run.

Frymier agrees. “The best way to blow your budget is to allow yourself to be sold a shiny bubble and not understand what goes along with the technology.” Often this can happen if managers aren’t identifying their requirements and going through a structured procurement process. Usually, this happens with executives who are not in security or IT, who purchase a tool thinking it is going to solve all of their security problems, he notes.


4.      Measure The Effectiveness Of Your Security Program: Security managers need some sort of measure of effectiveness to assess the totality and completeness of their organizations’ security program.  There are a variety of frameworks to help managers achieve this goal, says Frymier.  One in particular is the Cybersecurity Framework released by the National Institute of Standards and Technology in 2014.  The Framework has 98 security control objectives that security managers can use to rate their security program. “Using the four criteria [the Framework outlines] for each of those 98 security objectives, you can demonstrate to people where you may have strengths and weaknesses,” he says. “Then you can make business decisions about the value of strengthening areas where you are weak and make decisions about whether you are going to spend money on those areas or not. “


Related Stories:

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/30/2016 | 3:32:24 PM
4 Tips For Planning An Effective Security Budget
Thanks for sharing, really I learn so much with you guys thanks again
Sagiss, LLC
Sagiss, LLC,
User Rank: Strategist
4/28/2016 | 12:01:14 PM
Protecting Valuable Data
In addition to assessing what current security resources are in place and how effective they are, leaders should also determine what their most valuable information assests are so that they can focus on improving detection and response capabilities in those areas, rather than attempting to achieve 100% security, a lofty and impossible goal.  
User Rank: Apprentice
4/27/2016 | 5:19:02 PM
Bug Bounty Programs
I'd suggest Bug Bounty Programs as a fast and cost-effective way to get more eyes on your applications.  A company can try them for free.  77% of companies get results in 24 hours.  

(Full Disclosure, I work for one of the companies in th1s space but I loved bounty programs before that too :).

Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.