Infosec budgets. They are small, they largely come from IT, and CISOs\/CSOs often complain they are not nearly big enough.\n\nIt\u2019s a constant subject of debate and rightly so; a security budget will indirectly influence how well a CISO protects their business and its assets - and frankly, how well they do their job (which, in turn, will determine how long they stay in it).\n\nThis isn\u2019t meant to be all doom and gloom however; clever CISOs\/CSOs and CIOs understand they have to resource more carefully in today\u2019s economically challenging times. For CISOs, that involves using money effectively, and making do with solutions they already have, in order to protect the assets they truly care about. It can also involve upskilling staff, and rolling out cost effective security awareness campaigns.\n\nBe wary of the big black hole\n\nIT security budgets are said to account for around 5 to 15 percent of overall IT budgets, depending on who you believe, and how you define security.\n\nGartner, in a report released earlier this month, put this figure around 5 percent, while sagely noting that making comparisons with industry peers is pointless as you could \u201cbe spending on the wrong things, and and be extremely vulnerable.\u201d\n\nThis is illustrates that the security budget debate is a complex beast. These budgets will differ per organization, depending on reporting structure (reporting to your CIO, rather than the CFO for example, will most likely see smaller budgets), C-level relationships, and the existing technology solutions already in place. Then there is making sure any new purchases are in-line with the company\u2019s existing risk management and compliance practices.\n\nThere are, subsequently, numerous questions for CISOs to ask: where should I focus my spending? Do we have solutions already to protect us? Is the vendor peddling snake oil? And what differences will this investment truly make to our ability to manage risk and improve security?\n\nKnowing the threat landscape your organization faces is vital, and arguably seldom done; in Accenture\u2019s High Performance Security Report 2016 - a survey of 2,000 security executives representing large enterprises, 53 percent said that the insider threat had the most impact materially on their business, and yet most of these firms were prioritizing spending on endpoint and cloud security.\n\nAnd in this age of ever-larger data breaches, and increasingly sophisticated cyber-criminal groups, there is the danger of overspending...or money going into a big black hole.\n\nLet\u2019s look at Bank of America. Last year, CEO Brian Moynihan said that the nation\u2019s second largest lender would spend $400 million on cybersecurity in 2015. He added that for the first time in 20 years of corporate budgeting, this would be the first business unit (cyber security) with no set budget.\n\nBoA isn\u2019t alone, JP Morgan - after being breached in August 2014 - said its cyber-security budget would top $500 million in 2016, more than double the $250 million it ploughed through in the year before, while Crain\u2019s article recently stated that Citibank\u2019s IT security budget is around $300 million.\n\nYahoo Finance reports that Wells Fargo spends roughly $250 million a year on cybersecurity, and analyst firm Cybersecurity Ventures is forecasting further growth in the year ahead, both in government and business.\n\nMore money is good for obvious reasons, but smart money is even better, especially as there is often industry skepticism around the theory that more money equals better security.\n\nAsking for more money\n\nRolling Stones once sang \u2018You can\u2019t always get what you want\u2019, but the truth is that this simply doesn\u2019t apply for InfoSec budgeting.\n\nIf you align security with business, can analyze and assess your team\u2019s performance, and communicate well and openly with the board, there will always be opportunities for further discussions - and budget reevaluations.\n\nChris Gibson, CISO at UK-based financial services firm Close Brothers and formerly head of CERT-UK, says CISOs should be bold enough to ask for more money.\n\n[ ALSO ON CSO: Do these 3 things to get the security budget you want ]\n\n\u201cHow do CISOs get more money? By being able to talk in a language that business understands - and by that I mean risk,\u201d he tells CSO Online.\n\nBudget adviceEffective risk management - do you have to protect ALL data and devices?Educate the board on security, and communicate in business termsReview the effectiveness of your budget on a continual basisMaximize the solutions and resources you already have, even if it means asking vendors about solutions you already own\n\n\n\u201cTraditionally, infosec is viewed as a cost to business and run by staff who are unable to understand risk management. Tech is a binary arena and often rules based. Risk is not - it's a sliding scale," Gibson said. \u201cWhat I need to do is articulate to the business and board the level of risk a decision effects. It's entirely possible, as they weigh up the total risk for a project, that I can minimize infosec risk which allows them to take more risk somewhere else in that project.\n\n\u201cBy being able to articulate this, security heads will demonstrate the value that bring to a business rather than the current perception of cost. That will greatly enhance visibility and allow boards to understand what our needs are - and then get a better budget settlement.\u201d\n\n[ RELATED: Where to cut corners when the security budget gets tight ]\n\nAndy Rose, CISO and head of cybersecurity at air traffic company NATS, concurs, adding: \u201cBuild relationships with the exec and ensure that they understand the potential risks and consequences. Try and compare your firm with peers to show any differential in investment, leveraging \u2018keeping up with industry best practice\u2019.\n\n\u201cWeave security projects into other company initiatives labelled as \u2018enablers\u2019 \u2013 for example, you want remote access? well that can\u2019t be done without 2FA \u2013 now you have a vehicle," he said.\n\nMartin Whitworth, group head of information security at Hitachi Capital, believes that you can get more, by simply better understanding business objectives.\n\n\u201cSecuring budget is all about showing how security is enabling business initiatives to take place. Work with the business to understand their priorities and then understand what security activities are required to make this happen. Then ... create a business case for the investment.\u201d\n\nMaking the most out of what you have\n\nYet for all for the above, it\u2019s almost guaranteed - unless you are a BoA or JPMorgan - that the money won\u2019t stretch far enough.\n\nLast year, while two-thirds of the Institute of Information Security Professionals (IISP) members said that their security budgets had increased, 60 percent said that these were not keeping pace with the threat landscape. Only 7 percent reported their security budgets were rising faster than the threat.\n\nGibson adds that, even if you don\u2019t have the optimal budget, you can still get the most out of it.\n\n\u201cIt's all about risk. I could try and defend the entire network from all attacks but, realistically, the only way to do that is to turn it off...We need to work in a smarter way - defending the data we care most about but having a base level of defense across the entire network.\u201d\n\nRose, meanwhile, has some sage advice, urging CISOs to contact their vendors to see if they are getting the most out of their existing solutions.\n\n\u201cContact the vendor, ask what services you are paying for that you haven\u2019t yet implemented. Review their product set and see what other functionality you can get for an incremental license cost. Also look to expand coverage across the estate and simplify your toolset \u2013 if you have one management app for desktop and one for laptops, can you consolidate and simplify?\u201d\n\nWhitworth is more direct still: \u201cIt's all about good management - keep an eye on the costs, good project management (or sponsorship), asking those simple questions - why? when? what?\u201d\n\nSteve Wright, group data privacy and InfoSec officer at retailer John Lewis, said, has some useful tips of his own for making the money last - and being spent in the right places.\n\n[ ALSO: How to be a successful CISO without a 'real' cybersecurity budget ]\n\nHe detailed the importance of an effectiveness review - seeing if your budget is effective for purpose - and says that 2017 should see CISOs\/head of infosec invest more in predicting their security capability. Yet he warned of the challenge of the \u201cspeed of changing spending habits\u201d in the year ahead, which is perhaps unsurprising given SANS indicates a whole host of new and emerging spaces to spend money on.\n\nSo, big or small, there are ways of making your security budget work harder for you. And with 2017 weeks away, what better time to start?