This article will answer the following questions:
- How do I sell the cybersecurity development plan to top management?
- How do I get a budget to execute my cybersecurity development plan?
- What is the best way to get my CEO onboard for my cybersecurity development plan?
- Do I need a separate cybersecurity budget to execute my cybersecurity development plan?
- How do I use long term planning to secure a long term budget?
- Can a cybersecurity manager do anything without a budget?
- Why should I use benchmarks while discussing the cybersecurity budget with top management?
- How do companies spend their cybersecurity budget?
- What budgeting workarounds can I use to get a fair budget?
Cybersecurity development plan Part II: Know the Budget
When the cybersecurity manager has created a solid cybersecurity plan, after meeting with department heads and senior executives, putting together a current assessment of risks, and identifying compliance issues, he comes away with a detailed to-do list that can move the company forward on security. The work is not done, though. He has one more important step to take—he needs to sell that plan to company leadership.
The highest level of management usually sees cybersecurity as a necessary evil, a cost centre, not a profit centre. Security doesn’t produce any services or products by itself, and it makes no profit. So the cybersecurity manager will have to sell the CEO on the idea that security makes life easier, faster, and more efficient, and hence, it does contribute to the bottom line.
To sell it, the cybersecurity manager will need to go back to the decision makers with that plan and explain to them the most urgent items that need to be fixed—not all of them, just the critical ones. And he’ll need to know how much it will cost.
When a person first starts as a cybersecurity manager, they usually don’t have a budget in place, unless they are replacing a cybersecurity manager who used to work there. Many CEOs and C-level executives view security as a cost that should be kept to a minimum. It’s not that they are careless, they just don’t know much about security. They have their own work to manage. So it’s to the cybersecurity manager’s advantage to have the cybersecurity development plan in place first, with the business risks and compliance requirements spelled out, before asking for funding.
Almost every security plan is going to require some level of budget. Ideally, the cybersecurity manager’s budget will come from one batch of money approved by the CEO or CFO—or maybe even another C-level executive who has a lot of money in their department’s budget. If the cybersecurity manager can’t get one chunk of money approved all at once by the CFO, they’ll need to go through each of the department heads in the company and request to have a portion of the security budget built into their department budget. This is more cumbersome but works fine.
Looking Beyond the Fiscal Year
If a cybersecurity manager develops a security improvement programme for the company that takes care of the biggest risks and compliance issues, and they get a budget for it, then what? What happens next year when they’ve completed the items on their plan? If they don’t think about this and plan for it, the cybersecurity manager might see their budget cut, maybe to zero.
Many companies have a budgeting cycle of one year, but the smart cybersecurity manager will plan for the long term, not just the next twelve to eighteen months. With security, there are constant recurring costs that are necessary for maintaining every item on the plan. Security measures can’t always wait a year for budget approval.
For example, let’s say the cybersecurity manager buys more firewalls or intrusion-detection technology. They need to run constantly, and somebody has to be looking after them, so that requires funding. You must either buy an outsourced service or hire somebody to take care of it. Either way, it’s going to be an ongoing cost, which requires ongoing budget, on top of the cybersecurity manager’s own salary. After one year without a budget, someone loses a job or the security controls are left to rot all alone.
Think of it this way: a security budget needs to have a long tail. Security awareness training needs to happen every year and will require a budget every year. And costs go up every year. If you don’t get anything done for a year because you don’t have the budget—you can’t order audits, can’t implement new controls, you can’t buy technology or services—what’s left? Your own working hours. Without the budget, a cybersecurity manager can rarely get anything substantial done. Failing to plan ahead for budgeting means failing to implement the next year.
Most CEOs and management teams have no idea how much they should be spending on cybersecurity. They don’t really understand why it costs so much money. So a good place to start is with benchmarks.
cybersecurity managers can find benchmarks in studies that describe different types of businesses and how much they spend on cybersecurity. CEO Magazine and Gartner, for instance, have published reports on this topic, and they suggest some ballpark budget numbers:
How much should organisations spend on cybersecurity? Cyber attacks and data breaches are becoming so common that all organisations are likely to be hit at some point. Some organisations might use this as an excuse not to invest in cybersecurity, but it’s possible to reduce the risk and subsequent damage of an attack – and that option is a lot more affordable than waiting until it’s too late.
For example, Maersk announced that it lost up to $300 million (about £225 million) after it was hit by NotPetya, and it still had to deal with the consequences of the attack and upgrade its security measures. Granted, few breaches are as damaging, but the average company is still devastated by cyber attacks. Ponemon Institute’s 2017 Cost of Data Breach Study found that UK organisations lose £2.48 million on average after a data breach.
With organisations already investing heavily in cybersecurity – Gartner predicting that global cybersecurity spending will rise to $90 billion (about £68 billion) in 2017 – the answer isn’t simply to invest even more money. So, what should organisations do?1
On average, organisations spend 5.6 percent of their overall IT budget on security and risk management, according to another report from Gartner.2 But as SANS pointed out above, most cybersecurity items won’t appear under one security budget. They are spread across different budgets and are hard to track. The truth is likely higher than 5–6 percent. As an example, some cybersecurity managers ask for a budget of 11 percent of the IT budget. That seems like a lot of money, but most large businesses with a few thousand employees will pay a full-time cybersecurity manager. They also buy external services and licenced software. That means the 11 percent figure is not far off from real-world budgets. (The trend recently in the industry is that clients are planning to spend even more than that 11 percent on cybersecurity in the near future.) Once you have set an expectation, it’s easier to come up with a plan and associated cost. Then if you come in under budget, that will make you quite popular with the CFO.
On the other hand, some companies simply refuse to spend money on security. One company in Singapore had a turnover of about $50 million, but their entire IT budget was only $14,000 a year. They used a government grant to fund it. The IT director wanted to buy licences for antivirus and a firewall and that was it. In a case like that, it’s impossible to tell them to budget $50,000 for security.
In most cases, the IT budget provides the most useful comparison because most people think that cybersecurity is about IT. Knowing the IT budget will be helpful for the cybersecurity manager in determining the right amount of spending on security. SANS states that “most organisations fold their security budgets and spending into another cost centre, whether IT (48 percent), general operations (19 percent) or compliance (4 percent), where security budget and cost line items are combined with other related factors. Only 23 percent track security budgets and costs as its own cost centre. SANS makes an astute observation which may account for the shortfall in IT spending projections by some researchers and analysts.”3
Avoid Being the Scapegoat
Selling the cybersecurity plan to higher management is crucial—every cybersecurity manager needs this high-level support to get things done. This need cannot be overstated. Without leadership buy-in, the cybersecurity manager will find it difficult, if not impossible, to control the biggest cyber risks in the company, let alone put a robust security programme in place. They may have trouble even implementing the programmes that are mandatory by law.
If the cybersecurity manager takes their plan to the CEO and doesn’t get any support or sign-off for the action items listed there (and the associated cost), the cybersecurity manager might as well resign. He cannot get his job done. To make matters worse, if something goes wrong and there is an attack, the cybersecurity manager will still be blamed for it.
The cybersecurity manager isn’t the boss, but the things they do affect a lot of people in the company, so it’s a role that’s easily turned into a scapegoat. cybersecurity managers have been fired because they don’t have management support. Something goes wrong, and people think, “I didn’t like this guy anyway, and now’s my chance to get rid of him. I’ll blame him.”
In one instance we learned about, a cybersecurity manager was friends with the managing director of a government organisation, and they had a strong working relationship. But a small team was of the opinion that the managing director was no good and needed to resign, so they burned the cybersecurity manager for some minor non-compliance issues and used that as a tool against the managing director. Political games played in security and compliance can get dirty. Nobody wants to be the scapegoat. This is another reason the cybersecurity manager has to build a network of support within the company.
Compromise can be key to gaining support. If senior management doesn’t want to spend money on security, the cybersecurity manager might negotiate a modified plan. Can we do half of the security plan this year and half next year, to lower the spending? Can we use more internal resources for the different tasks? Of course, there will always be a cost for internal resources, but it’s often possible to haggle about the price. If the CEO or CFO is willing to discuss the plan, that’s an indication they want to do it, but maybe not exactly as proposed and maybe not all at once. They might want to understand it first, then make some adjustments. That’s a good sign.
Communicating the plan and the budget is the first and biggest test of management support for the cybersecurity manager. It’s not the first step, though. The cybersecurity manager should have already cultivated a high level of visibility with senior management and used it to start talking about the necessary changes long before presenting the plan so that the senior leaders won’t be surprised, especially the CEO.
Management support is crucial for anything related to security—not just the budget. The cybersecurity manager simply cannot be successful without management support.
Sometimes the cybersecurity manager won’t have a centralised budget or a large enough budget to pay for everything, so they need to go to someone—perhaps the CFO—to ask for money. Of course, that means they have to know that person well enough to talk about his budget and spending and what needs to be done with security.
It pays to play the C-level money game—make it your business to be friends with the CFO. Every year, a few months before budgeting, all the C-level executives and department heads try to get close to the CFO of the company, or whoever has final approval on spending. The CFO is usually the most powerful person within those department heads. She might not make the decision alone, but she has powerful influence within the institution. If the cybersecurity manager gets a budget assigned by the CFO and is already friends with her, it’s going to help them immensely.
As long as the CFO understands the budget and thinks it’s a necessary expense for the company, it’s unlikely she’s going to cut that budget later. If the CFO is sceptical of the cybersecurity manager’s budget numbers or doesn’t understand the need, there’s a risk the cybersecurity manager will be laid off, or the CFO will find other reasons to cut the budget.
The cybersecurity manager can prepare for some of these possibilities. When building a team, the cybersecurity manager should think like an executive—when a company has a good year, every executive hires staff into less-senior roles, just to be able to cut those positions when the next layoffs come. People can shift into other roles, and there is plenty of headcount to let go when layoffs come. Similarly, a security management team of five people—which would only happen in a big company—can always consider bringing on a sixth person, just in case they have to shed numbers in a future budget cut.
There are many tricks and tactics like this that a cybersecurity manager can use to get a fair budget approved, but the politics and approval processes in each organisation are different, so the most important skill for a cybersecurity manager is learning who controls the levers of power. Then they can figure out how to operate those levers to maximise security and minimise risk.
2. “Gartner Says Many Organizations Falsely Equate IT Security Spending with Maturity,” Gartner Press Releases (December 9, 2016), https://www.gartner.com/en/newsroom/press-releases/2016-12-09-gartner-says-many-organizations-falsely-equate-it-security-spending-with-maturity.
3. Steve Morgan, “Cybersecurity Ventures Predicts Global Cybersecurity Spending will Exceed $1 Trillion from 2017 to 2021,” 2018 Cybersecurity Market Report (May 32, 2017). https://cybersecurityventures.com/cybersecurity-market-report/.