- Year after year, CISOs need to develop a comprehensive security budget that is able to mitigate against threats.
- This budget will have to be defended against many other stakeholders to ensure there is proper funding.
- Security budgets are unlike other departmental budgets. Increases or decreases in the budget can drastically affect the organizational risk level.
- CISOs struggle with the ability to assess the effectiveness of their security controls and where to allocate money.
Our Advice
Critical Insight
- CISOs can demonstrate the value of security when they correlate mitigations to business operations and attribute future budgetary needs to business evolution.
- To identify the critical areas and issues that must be reflected in your security budget, develop a comprehensive corporate risk analysis and mitigation effectiveness model, which will illustrate where the moving targets are in your security posture.
Impact and Result
- Info-Tech’s methodology moves you away from the traditional budgeting approach to building a budget that is designed to be as dynamic as the business growth model.
- Collect your organization's requirements and build different budget options to describe how increases and decreases can affect the risk level.
- Discuss the different budgets with the business to determine what level of funding is needed for the desired level of security.
- Gain
approval of your budget early by preshopping and presenting the
budget to individual stakeholders prior to the final budget approval process.
Build, Optimize, and Present a Risk-Based Security Budget Research & Tools
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should build, optimize, and present a risk-based security budget, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.Besides the small introduction, subscribers and consulting clients within this management domain have access to:
- Build, Optimize, and Present a Risk-Based Security Budget – Phases 1-3
1. Review requirements for the budget
Collect and review the required information for your security budget.
- Build, Optimize, and Present a Risk-Based Security Budget – Phase 1: Review Requirements for the Budget
2. Build the budget
Take your requirements and build a risk-based security budget.
- Build, Optimize, and Present a Risk-Based Security Budget – Phase 2: Build the Budget
- Security Budgeting Tool
3. Present the budget
Gain approval from business stakeholders by presenting the budget.
- Build, Optimize, and Present a Risk-Based Security Budget – Phase 3: Present the Budget
- Preshopping Security Budget Presentation Template
- Final Security Budget Presentation Template
Workshop: Build, Optimize, and Present a Risk-Based Security Budget
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
1 Review Requirements for the Budget
The Purpose
Understand your organization’s security requirements.
Collect and review the requirements.
Key Benefits Achieved
Requirements are gathered and understood, and they will provide priorities for the security budget.
Activities
1.1 Define the scope and boundaries of the security budget.
1.2 Review the security strategy.
1.3 Review other requirements as needed, such as the mitigation effectiveness assessment or risk tolerance level.
Outputs
Defined scope and boundaries of the security budget
2 Build the Budget
The Purpose
Map business capabilities to security controls.
Create a budget that represents how risk can affect the organization.
Key Benefits Achieved
Finalized security budget that presents three different options to account for risk and mitigations.
Activities
2.1 Identify major business capabilities.
2.2 Map capabilities to IT systems and security controls.
2.3 Categorize security controls by bare minimum, standard practice, and ideal.
2.4 Input all security controls.
2.5 Input all other expenses related to security.
2.6 Review the different budget options.
2.7 Optimize the budget through defense-in-depth options.
2.8 Finalize the budget.
Outputs
Identified major business capabilities, mapped to the IT systems and controls
Completed security budget providing three different options based on risk associated
Optimized security budget
3 Present the Budget
The Purpose
Prepare a presentation to speak with stakeholders early and build support prior to budget approvals.
Present a pilot presentation and incorporate any feedback.
Prepare for the final budget presentation.
Key Benefits Achieved
Final presentations in which to present the completed budget and gain stakeholder feedback.
Activities
3.1 Begin developing a communication strategy.
3.2 Build the preshopping report.
3.3 Practice the presentation.
3.4 Conduct preshopping discussions with stakeholders.
3.5 Collect initial feedback and incorporate into the budget.
3.6 Prepare for the final budget presentation.
Outputs
Preshopping Report
Final Budget Presentation