Many company boards now have a clear focus on information security risks, although this isn’t always reflected across the broader organisation. Security and risk management professionals must manage and defend security budgets to meet stakeholder expectations of protection.
One of the challenges for CISOs is to ensure that there is enough budget to deliver a level of security that meets these expectations. Security budgets in most industries currently sit at roughly five percent of the total IT budget, according to Gartner’s research. Though IT budgets have grown since 2011, funding can easily revert back to underinvestment if CISOs can’t clearly demonstrate the benefits of a larger budget request.
Despite widespread optimism for budget growth, a decline in security budgeting has occurred since 2014, partly due to a relief in the initial alarm raised by high-profile attacks in 2014.
Another reason is the movement toward digital business. Gartner’s research shows that 50 percent of IT spending is shared with business units outside of IT, and security spending is often spread across various processes and business units. This sometimes happens unevenly and, in many cases, not allocated directly toward explicit security purposes.
For organisations in several industries, the expanding interest in contemporary technologies and services such as mobile device management, cloud, the Internet of Things and virtualisation should include a discussion on what protection the enterprise requires to exploit these technologies reliably.
In addition, compliance tempts organisations to focus too much energy on checking boxes to achieve regulatory and compliance requirements, leaving other security requirements underfunded.
Market benchmarking can be the start, not the end, of a conversation
Industry behaviour can be a valuable guide if you’re looking to anticipate risks. However, what really matters is the management of your own risks, not the meeting of an average industry figure. It’s important to avoid benchmarking against other organisations as a proxy for what you should be spending.
Your organisation’s security budget must address its specific objectives, technologies and risk. The responsibility to shape such a budget falls to the CISO. Gaining executive support and approval for this budget — which could be larger than past security budgets — falls to them as well.
CISOs are obligated to manage a budget that can expand with the need for new skills, as more and more security technologies and procedures become valued tools. To do this, they must appear in the eyes of their superiors, colleagues and peers, just as interested in business objectives, as they are security and technical issues.
In the boardroom, in a one-on-one interaction or in a peer forum, a CISO can use a range of tactics to convince decision makers that their precise budget will protect the company and allow it to succeed.
Creating a balance
According to recent Gartner research, only 10 percent of security budgets will adequately address the convergence of IT, operational technology and the Internet of Things by 2020, up from less than one percent today.
While it’s the CISOs responsibility to orchestrate appropriate levels of security, often budget allocation is negatively influenced by unfavourable peer impressions and limited influence, both at executive levels and throughout the organisation. Security funding must create a balance between the priorities of protection and those of revenue growth and business development.
Furthermore, while compliance and regulatory focus is important, a stronger argument can be made by positioning the same programs in the context of business development and reliable delivery to customers, as well as adequate management of risk.
Security continues to grow in important at the top
Regardless of how the security budget is allocated, the 2016 Gartner CIO Agenda survey indicated that security continues to grow in importance at the highest levels of business, along with opportunities for expanded security budgeting.
Sixty-one percent of organisations said their security budget will increase this year, with an 18 percent average increase. More CIOs rate security in their top three strategic priorities than two years ago, and security is now the seventh highest priority for new technology spending.
Intensifying concern for security is resulting in larger budgets, expanded head counts and new technology acquisitions. This also comes with heightened expectations that will not be met if the CISO does not use proper tactics when interacting with colleagues and executives, and when considering specific risks.
About the author
Rob McMillan is a research director for information security at Gartner, covering strategic planning, security policy and governance, data loss prevention, security incident response, threat intelligence services, risk management and security metrics. Rob joined Gartner in 2010 after almost nine years in information security at the Commonwealth Bank of Australia. He was co-founder and general manager of AusCERT and spent four years with CERT in the US.