Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:30 PM
Connect Directly

4 Tips For Planning An Effective Security Budget

Security budgets start with managers assessing all of their resources and measuring the effectiveness of their security programs for strengths and weaknesses

Where does the information security budget reside and who owns it? That's an ongoing debate as organizations allocate resources to protect critical assets in a dynamically changing technology and threat environment.

In many organizations, chief information security officers report to the chief information officer, because security operations and budgets are part of the IT department. According to the Ponemon Institute’s 2015 Global Study on IT Security Spending & Investments, only 19 percent of the surveyed respondents say the IT security leader has control over how resources are allocated. Instead, the budget is in the hands of the CIO or Chief Technology Officer and business leaders.

This suggests the importance of security leaders learning how to influence these senior executives if they are going to change how budgets are allocated, according to the report. Ponemon surveyed 1,825 IT management and IT security practitioners in four global regions for the report.

There are a lot of similarities between the security and IT worlds, as both are part of a rapidly changing landscape witnessing the rise of technologies and services like cloud computing, mobility, software-as-a-service, and virtualization, says David Frymier, CISO of Unisys. “The security budgeting is similar to what is going on in the IT world,” he says. 

But he also notes that there are conflicts of interest between the two functions, and some security practitioners and experts are making a case for the separation of the disciplines. In some cases, CISOs are reporting to chief risk officers or chief compliance officers.

At Unisys, security is part of IT, and the actual budget number is held at a very high executive level. The CIO has a budget number that is part of the corporate financial plan. The details of that budget aren’t farmed out to managers that report to the CIO in any sort of hard and fast manner, Frymier notes. Instead, the managers have a plan and an outlook, and progress against the plan is measured on a monthly basis.

“Things change on a very fluid basis all year long,” he says. Even though something has been in the financial plan at the beginning of the year, when it comes time to actually spend the money on it, a business case needs to be made again within the existing context. There might be other priorities or the issue is not as acute as it might have been at the beginning of the budget process, he says.   

For those security managers looking for ways to help their organizations plan an effective security budget, Frymier and Greg Boison, director of homeland and cybersecurity at Lockheed Martin, shared some advice: 


1.      Assess and Inventory Current Resources: “Security budgets start with baselining what you have,” says Boison. Security managers have to properly conduct an inventory of all the tools, staff, and resources they currently have. Then they should apply metrics to determine the amount of events launched against the enterprise that were risks versus the thousands of alerts and sensor events logged. This will aid in helping managers know what resources they have and how successful they were in mitigating attacks as well as the gaps. They can say 'here are the gaps in the mitigation of threats in the enterprise and here are the things I need to make it safer,' Boison says.


2.      Get Creative in Procuring New Technology, Resources: The security budget is a complete bill of materials of what you need to perform the security program, which includes equipment, software, people, training, maintenance, and perhaps, cloud computing approaches such as software-as-a-service and infrastructure as-a-service, says Frymier. “All that material fits into a taxonomy,” where it is either a capital expense – hard goods such as servers, software licenses and workstations – or an operating expense, such as people and their salaries, he says.  Cloud computing and a services-orientation are helping to move organizations toward operating expenses. Most accountants say this is a good thing.

Organizations are looking at creative ways of implementing new distributive technology via capitalized projects. For instance, the FireEye offers unique, advanced malware detection and remediation. Some accountants would say FireEye is a new business function and declare it a capital project, Frymier says. So all expenses associated with it (labor, equipment, software licenses and training, and implementation costs) could be spread out over three, five, seven years -- just like managers would do if they were buying equipment for a new factory. If security managers had decided to change their antivirus vendor from Symantec to McAfee, it is unlikely that can be called a capital project, because the company already had an antivirus function.

This type of accounting and budget detail can get arcane and technical people aren’t interested in it because it is difficult to understand.  “When I was first exposed to this concept it made no sense to me and I was unconcerned how things were accounted for,” Frymier says. “But as you move up through the management ranks, these things become more important.”


3.      Beware: Don’t Be Too Technology-Focused: Managers should not view the security budget as principally being about tools; people and talent play a big role in an effective security program, says Boison. Many CISOs focus on the latest tools and wind up bringing in another blinking box, he says. “More mature organizations are focused on leveraging and utilizing what they have.”  Managers here push systems and tools to their total functionality and only then add another tool. Tools bring complexity, which can lead to inefficiency in how the tool is implemented and run.

Frymier agrees. “The best way to blow your budget is to allow yourself to be sold a shiny bubble and not understand what goes along with the technology.” Often this can happen if managers aren’t identifying their requirements and going through a structured procurement process. Usually, this happens with executives who are not in security or IT, who purchase a tool thinking it is going to solve all of their security problems, he notes.


4.      Measure The Effectiveness Of Your Security Program: Security managers need some sort of measure of effectiveness to assess the totality and completeness of their organizations’ security program.  There are a variety of frameworks to help managers achieve this goal, says Frymier.  One in particular is the Cybersecurity Framework released by the National Institute of Standards and Technology in 2014.  The Framework has 98 security control objectives that security managers can use to rate their security program. “Using the four criteria [the Framework outlines] for each of those 98 security objectives, you can demonstrate to people where you may have strengths and weaknesses,” he says. “Then you can make business decisions about the value of strengthening areas where you are weak and make decisions about whether you are going to spend money on those areas or not. “


Related Stories:

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/30/2016 | 3:32:24 PM
4 Tips For Planning An Effective Security Budget
Thanks for sharing, really I learn so much with you guys thanks again
Sagiss, LLC
Sagiss, LLC,
User Rank: Strategist
4/28/2016 | 12:01:14 PM
Protecting Valuable Data
In addition to assessing what current security resources are in place and how effective they are, leaders should also determine what their most valuable information assests are so that they can focus on improving detection and response capabilities in those areas, rather than attempting to achieve 100% security, a lofty and impossible goal.  
User Rank: Apprentice
4/27/2016 | 5:19:02 PM
Bug Bounty Programs
I'd suggest Bug Bounty Programs as a fast and cost-effective way to get more eyes on your applications.  A company can try them for free.  77% of companies get results in 24 hours.  

(Full Disclosure, I work for one of the companies in th1s space but I loved bounty programs before that too :).

Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.