Key questions to mull as you head into infosec budgeting season

Before you became an executive, the humidity and high temperatures of August meant vacation time. Now it means that the annual budget process is going to begin soon.  Even hackers don’t take vacation time these days!  Maybe you don’t need your numbers yet, but information security and risk management teams are doing their reconnaissance to determine what their technology solutions may cost and whether they have a chance to get them through the corporate budgeting process. 

No doubt with your appointment as an executive, you’ve developed the requisite skills to navigate this annual corporate game. But as you’ve come to realize through the years, budgeting rules and expectations continually change forcing you and your team to deliver more and with less resources. Each company’s culture and budgeting practices are different so you will need to adapt to your unique situation.

I’ve identified a couple of things that “we bean counters” either look for or talk about behind your back. Hopefully, this will help better justify your budget and help you get what you “desire” for the coming year.

Are you using what you bought last year?

You thought bygones were bygones and we forgot what you bought last year. You convinced accounting that the new security tool hitting the market last year was a must have. You told them how the world would be a better place and how when implemented, the new tool would significantly strengthen the organization’s security posture and facilitate the company’s entry into new distribution channels. 

So how’s the implementation going? We both know that so many things have come up since you purchased the tool and you just haven’t had the time, priority, bandwidth, etc., to implement the tool. Plus, as with every new tool, maybe you assumed that the tool would do more than what it actually does.

From an accounting perspective this is called a failure. Because traditional budgeting techniques focusing on objective criteria like ROI may not always be practical for security purposes, decision makers rely more on your representations and reputation within the organization. Not delivering on promises made last year or appearing to have “wasted” prior year’s investments is a deal-killer for future budgeting requests.

What are our peers doing to solve the problem for which you want the budget for?

Why do we need it if our competitors don’t? While preparing budgets we financial types love to compare or “benchmark” our company’s performance against others.  And by others I mean realistically understanding what business we are in, what type of business do we want to be, and what it will take to get there.

Where most benchmarking falls short is that we do not compare our risk appetites and tolerances to our competitors. Most organizations, and therefore their risk and information management functions do not necessarily need to be “bleeding edge” but rather must position themselves to provide an appropriate level of diligence and compliance reflective of the industry in which they operate. Obtaining “comps” or examples of competitors more effectively addressing risks or identifying lessons learned from competitor breaches can provide powerful support to your budgeting requests.

What are the alternatives to getting this done?

Business people know that there is usually more than one way to accomplish an objective. In presenting budgeting requests, as is frequently done with professional sales practices, it is helpful to present a small number of alternatives, each with different costs, savings, paybacks and risk mitigation values, allowing the decision makers to choose the option that best addresses their need (compared to not funding anything at all). Alternatively, the effort required in considering among alternatives and selecting an optimal option, can enhance the information security and risk management executive’s ability to enhance the effectiveness and strength of their budgeting argument and provide a more compelling case for budget approval. 

Have we explored partnering with an outside vendor who can manage this?

Most information security functions are well aware of the strategic use of outsourcing (and I’ll include the entire cloud and use of subcontractors ecosystem here as well).  There are many reasons why a company may choose an outsourced solution. From a financial perspective, the budgeting process is more concerned with how the transaction will be accounted for (e.g., many financial professionals will champion an outsourcing solution as it facilitates the matching of expenses in the period in which revenue occurs). Add to that the opportunity to limit head count and to place reliance on the “supposedly expertise” of a “third party expert” you can better understand why you need to be prepared to address this question with financial professionals. 

[ ALSO ON CSO: Do these 3 things to get the security budget you want ]

Can you effectively communicate the “have to” of the problem that you are trying to solve?

No matter how good your budget proposal is or how important it may be to safeguard your organization, to get your budget approved you will need to communicate your case effectively. You will need to translate your great technology solution into something that business people can understand. By focusing on the organization’s needs and communicating why your solution is necessary for the business, you should be in a better position to get that budget approved. 

Financial types will approve needed budgets requests, but it is your job to ensure they understand what they are buying or investing in.