I'm new to security management and budgeting, and I'm trying to come up with an effective information security...
spending plan. Do you have any tips for a strategic approach to security budgeting?
There have been a lot of advancements in information security technologies over the last decade -- next-generation firewalls and improved intrusion prevention systems to name a few. However, this past year has shown successful cyberattacks and data breaches are all too common. The attacks are growing in sophistication to address the new defensive technologies in a type of cyber-arms race. However, the sophistication of attacks isn't necessarily the root cause to the dramatic increase in the number of breaches.
Breaches have increased simply due to a lack of enterprise focus on information security as a strategic priority. Information security has often been perceived as a roadblock to successfully deploying new projects or products. This perception is directly related to the immaturity of the information security industry. The auto industry went through a similar phase with regard to passenger safety. Seatbelts and airbags were only added when required by legislation because developing safer products took more time and didn't drive sales of automobiles until much later. Security budgeting is often driven by bare-minimum requirements to achieve compliance instead of being woven into the fabric of enterprise strategy, where it can be most effective.
There are steps a CISO or information security manager can take to help move information security from an overhead expense into a strategic opportunity. Here are three examples:
First, security leadership is important. Most business leaders have only a rudimentary understanding of what a CISO role encompasses. They know that the role exists to provide security and compliance. This fact could be viewed as a disadvantage, but it is actually an opportunity. This ambiguity provides an empty canvas for CISOs to define the role for themselves and change the perception of information security from cost center to strategic partner. This strong information security leadership can then build the support required from other business leaders for strategic security budgeting.
Second, avoid the so-called firefighting approach. Many security leaders fall into the trap of only being reactionary. This can be due to a lack of resources, inheriting an insecure environment, or even an addiction to the thrill of firefighting. Effective security leaders understand they can't always be out on the front lines in order to build effective strategies. They may have to outsource certain functions or build automated processes in order to focus on the big picture. It seems counterintuitive, but spending time to build a case to leadership to acquire more resources will have a greater overall impact than grabbing a keyboard and writing a new firewall rule.
The final step to building support for strategic budgeting of information security is to focus on developing and reporting metrics. It is critical that security leaders be brutally honest about the shortcomings of their current information security program, and actionable data in the way of metrics and reports will be the best way to deliver that honest assessment. Metrics will vary between enterprise security departments because they should be company-specific. And metrics that will have the most impact are those that can be tied back to specific products or services that the enterprise offers; the percentage of customers that lose personal information through a company-developed mobile application is a good example of a potential metric. This percentage should ultimately decrease due to stronger security practices that are put in place, which will in turn require strategic security budgeting.
Strategic security budgeting can go a long way towards preventing many of the recent large data breaches. This type of budgeting is difficult because information security is still an area that is not easily understood by business leaders. The CISO or information security manager must provide strong leadership to help educate these leaders on the benefits of strategic information security budgeting. They also need to remove themselves from daily firefighting activities in order to focus on high-level tactics, which include developing and reporting on metrics.
My hope is that there will come a day when the importance of information security in business strategy is as easily understood as the importance of airbags or seatbelts in a car. It is an exciting time to be in information security as today's CISOs and information security leaders get the opportunity to forge that path.
Expert Joseph Granneman offers advice on how to raise infosec awareness among non-security executives
Dig Deeper on Information security program management
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading