How does your organisation decide how much money to spend on security?
There is often pressure to deliver productivity improvements and this frequently results in the desire to reduce costs. Cost-reduction measures can be implemented through traditional programs, such as outsourcing, offshoring and strategic sourcing, but all too often they include other isolated cost-reduction activities of the kind that can leave security budgets misaligned with either the level of security risk or the needs of the business.
When it comes to the budgeting process, there are several popular methodologies.
The use of “incremental budgeting” or the technique of using a previous period’s actual or forecast costs as the basis for the predicted future expenditure, makes a significant assumption; namely, that the previous budget was originally aligned with the business’s needs and that it will continue to fit the organisation’s future environment.
This method of budgeting is prevalent as it enables executives and finance managers to quickly develop the ‘cost’ side of the financial plan. Simply applying a fixed percentage decrease or increase to the previous budget enables quick progress and in an environment where time is always at a premium, why wouldn’t an incremental budget process achieve the desired objective of predicting how much money needs to be spent on security in the coming year?
A more comprehensive approach could be to use a ‘cost-based’ or ‘zero-based’ budget methodology. There are many versions of ‘zero-based’ budgeting but they all work on the basis of ‘building the budget from zero’ or, in other words, not using the previous year’s costs as the starting point but to consider every cost item necessary to run and develop the business. The ‘zero-based’ approach has its drawbacks in terms of time and effort but it does achieve the goal of ensuring that budgets – including the security budget - are correctly aligned to evolving environments.
So, ‘How does your organisation decide how much money to spend on security’?
By now you may be wondering what budgeting methodologies have to do with the initial question: How does your Organisation decide how much money to spend on security?
The simple answer is: the method deployed to develop your business operating budget must ensure that there is no disconnect between the current needs of your organisation and what the budget must enable you to deliver. Relative to security, budgets are all too often determined by incrementally increasing or decreasing the amount spent in a previous year; or, security overheads, which have built up over a period of time, are simply maintained. This type of budgeting demonstrates far too little effort and understanding of why money should be spent on specific, prioritised risk control measures.
“Foundation factors” provide the information platform for future decision making. The stronger and broader the foundation factors are, the more closely aligned to the business needs any future security decision will be.
So, is your business spending too much money on security or not enough? Are you focussing your expenditure in the right areas or leaving vulnerabilities exposed to exploitation? Is the security budget absorbing other business service costs that should be part of a different budget? The first step in understanding the answer to these questions is to build a strong set of foundation factors.
How to decide how much money to spend on security?
The next time you are thinking of your organisation’s financial plan, use a ‘zero-based’ approach to align your security budget with your precise business needs in the context of your own businesses culture.
Although some research will likely be necessary, the insight you will gain will make your decision making much quicker and more accurate, and the business case you produce will be that much more compelling. There is no magic formula or algorithm that can produce a definitive answer but by using this tried and tested process the result will be based on your organisations unique criteria and will be an informed procedure that will stand up to any scrutiny.
Want to read the full white paper?
CornerStone is an award-winning, independent security, cyber and risk consulting firm providing a range of Risk Management, Security Design and Implementation Management Services. Click below to explore the full white paper and hear more insights from experts.