This content is part of the Essential Guide: An IT security strategy guide for CIOs

Essential Guide

Browse Sections
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why a cap-less cybersecurity budget could harm security

An unlimited cybersecurity budget may sound like a dream, but in reality it could do more harm than good for an enterprise. Expert Mike O. Villegas explains.

In a recent interview, Bank of America's CEO said his company spent $400 million on security last year and that this year's cybersecurity budget had no constraints or limits, after board of directors had already increased security spending by 24% in 2015.

Increased cybersecurity budgets are rising, but is the Bank of America situation a trend? What are the pros and cons to this cap-less cybersecurity budget approach? How can CISOs avoid wasting money?

Not all organizations are Bank of America. Its cybersecurity budget may be unlimited, but the cybersecurity team at Bank of America would probably still have to justify its spending. There is no such thing as a blank check. If BofA Chairman and CEO Brian Moynihan is offering cybersecurity this enviable procurement dream, then he is foolish. It's unlikely that Moynihan is foolish, so he likely means that if cybersecurity can make a case for tools, resources or services, the funding for them will be granted.

Having a cap-less cybersecurity budget is a problem all organizations would love to have but there are issues that come along with it. Anyone with a blank check to do with what they please will be prone to extravagance. A cap-less budget, even if an organization could afford it, means it buys what it wants, not necessarily what it needs. Security spending should be based on a mutual understanding, guidelines and accounting.

TechTarget 2016 Information Security Spending Survey

Avoid wasting cybersecurity funds

Security teams need to be good stewards with the cybersecurity budgets allotted to them in order to obtain the right complement of staff, automation, monitoring efforts, IT project consulting and management reporting. This allows security teams to control spending and demonstrate their expertise and wisdom in deploying the right level of protection to management. In order to do this effectively, security should take certain steps, including:

  • Develop an enterprise-wide security risk assessment. This ensures all mission-critical systems and their residual risk factors are identified, as well as determines the risk priority so the security team knows where to focus its efforts.
  • Create an inventory of existing tools for monitoring and maintaining protection of critical data, applications, servers, networks, users, Web and Internet events.
  • Perform a skills inventory that includes the number of staff, certifications, common body of knowledge in cybersecurity and training -- such as in-house conferences, external training, secure code training and vendor product training.
  • Determine the total cost of ownership for establishing the right complement of resources -- people and technology.
  • Create a Cybersecurity Center of Excellence with a management dashboard that reports on all security metrics monitored and reported on, derived from SIEM and federated identity management input, IDS statistics and compliance status for regulations or guidelines your enterprise is required to maintain.
  • Lead by example and do not manage staff with fiats.
  • Make retention and staff development a key goal by challenging staff to improve and exceed cybersecurity expectations, ensuring competitive compensation for staff, infecting staff with your passion for cybersecurity and instilling strong professional ethics.
  • Embed cybersecurity into the corporate business culture where the security team is viewed as a business advisor and not one that creates excessive bureaucracy, inhibits productivity, or forces others into rolling disclosure in fear of their jobs.
  • Give business unit managers a reason to praise cybersecurity involvement and contributions. That message will filter up to executive management with amazing results.
  • Find the right blend of cybersecurity for the enterprise; do not over control, over monitor or over spend.
  • Do not seek to be the best or have the latest state-of-the-art tools; seek for excellence, which may translate to not the best but what is right.
  • Do not unnecessarily spend remaining budget at the end of the year out of fear it will otherwise be taken away from security.
  • Above all, stay in regular communication with executive management (i.e., monthly meetings) to ensure they know what, how and why the team is spending its budget. Don't allow management to guess what security is doing and assume it was wrong when a breach or budget cut happens.

These steps may seem irrelevant when it comes to controlling spending; however, with a cap-less cybersecurity budget, the organization will have shelfware, high turnover, questionable spending, scope creep, or channels that go unattended because the staff is overly fascinated with the tool rather than its intended purpose. Parkinson's Law states that work expands so as to fill the time available for completion. Organizations should not find work for the security team or buy excessive tools, products and services just to use up a bottomless cybersecurity budget. It may seem enviable since few organizations have the issue of a cap-less budget, but it still doesn't ensure the organization is safe and secure.

Next Steps

Find out what the top priorities should be in a security budget after a breach

Learn how to strategize security budgeting

Discover how to cope with a limited security budget

This was last published in April 2016

Dig Deeper on Information security program management