How to get more from your security budget

Infosec budgets. They are small, they largely come from IT, and CISOs/CSOs often complain they are not nearly big enough.

It's a constant subject of debate and rightly so; a security budget will indirectly influence how well a CISO protects their business and its assets – and frankly, how well they do their job (which, in turn, will determine how long they stay in it).

This isn't meant to be all doom and gloom however; clever CISOs/CSOs and CIOs understand they have to resource more carefully in today's economically challenging times. For CISOs, that involves using money effectively, and making do with solutions they already have, in order to protect the assets they truly care about. It can also involve upskilling staff, and rolling out cost effective security awareness campaigns.

Be wary of the big black hole

IT security budgets are said to account for around 5 to 15 percent of overall IT budgets, depending on who you believe, and how you define security.

Gartner, in a report released earlier this month, put this figure around 5 percent, while sagely noting that making comparisons with industry peers is pointless as you could "be spending on the wrong things, and and be extremely vulnerable."

This is illustrates that the security budget debate is a complex beast. These budgets will differ per organization, depending on reporting structure (reporting to your CIO, rather than the CFO for example, will most likely see smaller budgets), C-level relationships, and the existing technology solutions already in place. Then there is making sure any new purchases are in-line with the company's existing risk management and compliance practices.

There are, subsequently, numerous questions for CISOs to ask: where should I focus my spending? Do we have solutions already to protect us? Is the vendor peddling snake oil? And what differences will this investment truly make to our ability to manage risk and improve security?

Knowing the threat landscape your organization faces is vital, and arguably seldom done; in Accenture's High Performance Security Report 2016 – a survey of 2,000 security executives representing large enterprises, 53 percent said that the insider threat had the most impact materially on their business, and yet most of these firms were prioritizing spending on endpoint and cloud security.

And in this age of ever-larger data breaches, and increasingly sophisticated cyber-criminal groups, there is the danger of overspending…or money going into a big black hole.

Let's look at Bank of America. Last year, CEO Brian Moynihan said that the nation's second largest lender would spend $400 million on cybersecurity in 2015. He added that for the first time in 20 years of corporate budgeting, this would be the first business unit (cyber security) with no set budget.

BoA isn't alone, JP Morgan – after being breached in August 2014 – said its cyber-security budget would top $500 million in 2016, more than double the $250 million it ploughed through in the year before, while Crain's article recently stated that Citibank's IT security budget is around $300 million.

Yahoo Finance reports that Wells Fargo spends roughly $250 million a year on cybersecurity, and analyst firm Cybersecurity Ventures is forecasting further growth in the year ahead, both in government and business.

More money is good for obvious reasons, but smart money is even better, especially as there is often industry skepticism around the theory that more money equals better security.

Asking for more money

Rolling Stones once sang 'You can't always get what you want', but the truth is that this simply doesn't apply for InfoSec budgeting.

If you align security with business, can analyze and assess your team's performance, and communicate well and openly with the board, there will always be opportunities for further discussions – and budget reevaluations.

Chris Gibson, CISO at UK-based financial services firm Close Brothers and formerly head of CERT-UK, says CISOs should be bold enough to ask for more money.

[ ALSO ON CSO: Do these 3 things to get the security budget you want ]

"How do CISOs get more money? By being able to talk in a language that business understands – and by that I mean risk," he tells CSO Online.

"Traditionally, infosec is viewed as a cost to business and run by staff who are unable to understand risk management. Tech is a binary arena and often rules based. Risk is not – it’s a sliding scale,” Gibson said. "What I need to do is articulate to the business and board the level of risk a decision effects. It’s entirely possible, as they weigh up the total risk for a project, that I can minimize infosec risk which allows them to take more risk somewhere else in that project.

"By being able to articulate this, security heads will demonstrate the value that bring to a business rather than the current perception of cost. That will greatly enhance visibility and allow boards to understand what our needs are – and then get a better budget settlement."

[ RELATED: Where to cut corners when the security budget gets tight ]

Andy Rose, CISO and head of cybersecurity at air traffic company NATS, concurs, adding: "Build relationships with the exec and ensure that they understand the potential risks and consequences. Try and compare your firm with peers to show any differential in investment, leveraging 'keeping up with industry best practice'.

"Weave security projects into other company initiatives labelled as 'enablers' - for example, you want remote access? well that can't be done without 2FA - now you have a vehicle,” he said.

Martin Whitworth, group head of information security at Hitachi Capital, believes that you can get more, by simply better understanding business objectives.

"Securing budget is all about showing how security is enabling business initiatives to take place. Work with the business to understand their priorities and then understand what security activities are required to make this happen. Then … create a business case for the investment."

Making the most out of what you have

Yet for all for the above, it's almost guaranteed – unless you are a BoA or JPMorgan – that the money won't stretch far enough.

Last year, while two-thirds of the Institute of Information Security Professionals (IISP) members said that their security budgets had increased, 60 percent said that these were not keeping pace with the threat landscape. Only 7 percent reported their security budgets were rising faster than the threat.

Gibson adds that, even if you don't have the optimal budget, you can still get the most out of it.

"It’s all about risk. I could try and defend the entire network from all attacks but, realistically, the only way to do that is to turn it off…We need to work in a smarter way – defending the data we care most about but having a base level of defense across the entire network."

Rose, meanwhile, has some sage advice, urging CISOs to contact their vendors to see if they are getting the most out of their existing solutions.

"Contact the vendor, ask what services you are paying for that you haven't yet implemented. Review their product set and see what other functionality you can get for an incremental license cost. Also look to expand coverage across the estate and simplify your toolset - if you have one management app for desktop and one for laptops, can you consolidate and simplify?"

Whitworth is more direct still: "It’s all about good management – keep an eye on the costs, good project management (or sponsorship), asking those simple questions – why? when? what?"

Steve Wright, group data privacy and InfoSec officer at retailer John Lewis, said, has some useful tips of his own for making the money last – and being spent in the right places.

[ ALSO: How to be a successful CISO without a ‘real’ cybersecurity budget ]

He detailed the importance of an effectiveness review – seeing if your budget is effective for purpose – and says that 2017 should see CISOs/head of infosec invest more in predicting their security capability. Yet he warned of the challenge of the "speed of changing spending habits" in the year ahead, which is perhaps unsurprising given SANS indicates a whole host of new and emerging spaces to spend money on.

So, big or small, there are ways of making your security budget work harder for you. And with 2017 weeks away, what better time to start?