Defending your security budget

The world of IT is changing rapidly. You’re probably being asked to do more with a smaller security budget, while simultaneously being expected to transform your department. After all, with the growing trend of BYOD, you don’t have to provide equipment and applications so much as you just have to provide governance, so why do you need all that money? You need to defend your budget, because as IT changes, security changes and new risks surface that you’ll be expected to deal with.

Over the last five years, more companies are leaning towards information security specialists and away from IT personnel. In a recent survey taken at the Black Hat USA 2013 security conference, 44% of respondents would like to increase security by having more security professionals on staff. Yet, only 32% were interested in increasing the security budget.

Defend your budget to the C-suite

You need to talk in terms your supervisors understand and care about. Since we’re talking about budget, try to focus on money. Investing in security up front has the potential to save the company money.

A recent study by Symantec shows that the U.S. is among the countries with the most expensive data breach cost at $188 per record. The U.S. is also near the top of the list for average number of files breached and overall spent $5.4 million on cleaning up breaches already in 2013 alone, more than any other country.

How can these data breach costs be reduced? The report found that the biggest factors in bringing down the cost of a data breach include the following:

• Strong security posture
• Incident response plans
• C-level information security professional
• Consultants to support data breach remediation

Your security budget should include funds for these four factors. Know what it costs to have a strong security posture, a good incident response team and plan and to bring in consultants when needed.

Having a security professional in the C-suite would certainly help make defending your budget less of a chore. But if that isn’t possible, know how to defend the cost of security using the cost of a good security system versus the potential cost of cleaning up after you’ve been compromised.

Defend your budget by prioritizing

You need to make the most of what you’ve got. If your budget isn’t going to cover everything, you need to prioritize and make sure it covers the most important risks.

Relentlessly pursuing mobile security threats that will be nearly impossible to eradicate could leave your company exposed to more embarrassing breaches. You need to protect your big data and prevent back end hackers from getting in; the type of risk that threatens your company’s reputation and makes the news. You shouldn’t ignore smaller threats, but prioritizing will help you make the most of the budget you have. It will be difficult to defend a security budget if a data breach causes the organization to lose credibility and customers.

A solid plan with prioritized risks can also help you show management exactly where the money runs out and which risks can’t be covered sufficiently.

When it comes to security, the less that happens the better. Having no breaches is great news, but it might not seem like much to management who doesn’t necessarily understand the risks involved in today’s digital world. To show the value of defense, you must be able to explain the risk. Knowing where your money is going and what your budget protects will help you make a case for your security budget in a compelling way that management can understand.