I have worked in finance roles in the tech industry for much of my career, but since joining Threat Stack I’ve had my eyes opened wide to the world of security. I have learned just how vital an effective security strategy is to the health of any modern business — and as a corollary, how critical a carefully planned security budget is.
Building a security budget can be a complex and sometimes fraught process, so I wanted to share some insights from my viewpoint as the CFO of a cloud security company. Below are five things I urge you to consider when you put together your own organization’s security budget.
1. Identify Your Crown Jewels
Before you start playing with the numbers or including line items, it is absolutely essential to figure out what the “crown jewels” of your business are. By this I mean: what data, intellectual property, systems, and other pieces of the business are most valuable? Which ones are business-critical or mission-critical and must absolutely remain protected — and how secure are they today?
For example, if you are a healthcare company, covered entity, or business associate, then protected health information (or PHI) is one of your crown jewels because it’s critical to the functioning of your business.
If you are a biotech company operating on the cutting edge of science, then your intellectual property will be a crown jewel. It must be protected at all costs for your business to flourish in today’s competitive landscape.
Every business will have different crown jewels, but every business has them. Identifying your crown jewels will offer clarity about where to focus your security efforts and how to prioritize various line items within your budget.
2. Define Business Risks
Next, you want to clearly define your business risks. While this is always something of a guessing game, it’s still important to take a realistic look at the potential threats to your business and the impact that each could have on your ability to continue to function and flourish.
Risks could include:
- Financial losses
- Competitive advantage
- Brand reputation
- Fines or legal repercussions
If you are able to quantify these risks, so much the better. The goal of defining your risks is to be able to run a cost/benefit analysis on your budget. If a security tool costs hundreds of dollars per year but protects your company from ransomware that could cost you thousands of dollars per incident, that may very well be worth investing in. If liability insurance costs thousands of dollars per year and protects you against the very real possibility of a million-dollar lawsuit, again, it’s likely worth it.
3. Calculate the Full ROI
I’ve written before about looking at security as an investment, not just as an expense. This is important because, in many cases, security is not just a protective measure, but can actually boost revenue for your business. Security measures can help the sales team win new business or open avenues in new industries. If your business were to proactively become HIPAA compliant and guarantee the safety of PHI, for example, you would be able to work with any healthcare-related company.
In other cases, investing in new security tools or processes can enable efficiency gains. You might be able to reduce headcount or, even better, allow your current employees to focus more on strategic, value-add projects, rather than busywork like alert handling.
As you analyze various line items in your proposed security budget, be sure to ask yourself not just how much they cost, but how much they could save you and/or how much revenue they could bring in. That’s the best way to get a full picture of whether a certain solution is worth the investment.
4. Cover All the Bases
A good security budget will include quite a few line items beyond what you might think of as traditional security expenditures. Depending on your organization, you may want to include some or all of the following in your budget:
- Employee salaries
- Managed service providers or contract employees
- Security tools
- Backup and data recovery
- Compliance tools
- Compliance audits (including headcount to prepare)
- Liability insurance and legal coverage
- Disaster recovery planning
- PR retainer
It’s easy to forget about things like liability insurance, PR, and data backup, since they may not, at first blush, seem to be directly connected to security. But think comprehensively, and be as thorough as you can to avoid budgetary surprises down the road.
5. Do Your Diligence on Tools
When I review budgets, I often ask teams tough questions. I want them to walk me through their thought process around each tool so I can be sure the money we are being asked to spend is bringing in enough value in return.
The kinds of questions I ask are:
- What tools do we currently have in place?
- Do any of the our current tools already do what the proposed new tools can do?
- If so, can we replace one or more of the tools we already have with the new ones?
- Did we fully explore all the options before settling on these?
- Do more cost-effective options exist? (If so, why is the one proposed the right one for our organization?)
- How will the proposed tools work with the ones we already have?
- What are the risks of doing nothing or going without this new tool?
Depending on your organization, you may need to ask some or all of these. It’s the job of a finance officer or team to make sure that we are spending the organization’s money in a way that will not just keep us secure in the short-term but will protect the health of the business for the long haul and even contribute to revenue streams when possible.
Final Words . . .
These are some of the biggest lessons I have learned since joining the Threat Stack team, which happily eats its own dog food when it comes to security technology.
What does your organization consider when it’s putting together a security budget? Tell us on Twitter @threatstack!