In this paper, I will explore the numerous aspects of budgeting within an organization, with a focus on its security department. I will discuss all areas of budgets, including how they are forecasted, created, implemented, and managed within an organization’s security department, as well as the many benefits of having one. I will then explain how security affects the budgeting process and provide and compare examples of commonly used metrics and methods. Finally, I will identify and explain an information security-specific budgeting process model, in the form of ERP (enterprise resource planning) and asset procurement policies. With this paper, the reader will be able to understand and develop their own methods of applying security practices and financial procedures to developing and managing a security department within an organization, as well as use the same research and policies organization-wide.
How are budgets created, implemented, and supervised in a security department? Why is it important to have a budget in a security department?
In any successful organization, researching, defining, setting, forecasting, documenting, protecting, and communicating budgets in every department is as vital as the products or services the company sells or offers. In a security department, being able to set and meet the various objectives laid out by upper-management in terms of risk assessment, mitigation, and the securing of assets, can only be effectively accomplished by having adequate financial resources now and into the future.
Budgets in the security department can vary in who owns the budgeting process, but typically, either the CIO, CSO, or CTO is charged with developing and managing the security budget (with direction and general financial allowances received from the CEO, stakeholders, or the board,) while security middle-management provides the necessary information concerning past, current, and proposed future costs, risks, personnel changes, forecasted upgrades, and maintenance. In conjunction with security personnel, upper-to-middle management’s budgeting activities will have direct communication with IT and other departments, such as finance or accounting.
Budgeting issues can bring even the most sophisticated security team and their protective measures to their knees, and problems can and will happen; however, a well-formulated and researched budget should take into account these possible events, thus allowing some cushion for natural disasters, bugs, human error, or even cyberattacks, in the form of a financial safety net (extra resources to be used in the case of an emergency) or a well-developed policy and procedure outlining what to do in the event of such a catastrophe.
As with any department in an organization, proper documentation and the creation and enforcement of financial forms and policies are vital to the continuous updating and improvement of the entire budgeting process. Similar to information asset hardening, a complex document covering each task involved in researching the necessary costs for continuing security operations, as well as how to get new projects approved by each management-tier, is required for a proper budgeting system.
How does security work within an organization’s budgeting process? Include at least two common metrics associated with security and an organization’s budget.
Security has an essential role in an organization’s budgeting process in that it directly impacts the organization’s ability to both earn and retain profit. In security, budgets allow for the safeguarding of all organizational assets, both on the physical and digital front. Also, due to the collective knowledge that nothing in the world of IT stays the same for long, security budgets need to be sophisticated, reviewed, and updated enough to adequately plan for combating new viruses, attacks, human errors, as well as improve past, current, and future rules and regulations regarding the allocation and spending of funds.
When it comes to security budgets, providing key metrics in the goal of identifying and accessing the resources necessary for the continuation of defensive practices, as well as additional funds for upgrading and improving systems, is vital to communicating what the department requires. In budget meetings, upper-management desires to know how security will impact the organization’s ability to perform and earn, as well as meet its mission goals. One metric that can clearly identify the reasoning behind security costs is the ‘cost of detection,’ in singular events. In other words, what is the estimated cost to identify a threat or potential error in a system? In addition to the cost of detection, the ‘time to detect and fix’ provides board members and executives the time frame in which an identified problem can be solved. By piecing together the cost of finding a risk and the time to find a solution, the budget for security can be increased or decreased appropriately based on the actual cybersecurity capabilities and goals of the department (Goodchild, 2018).
Explain in detail at least two common methods for budgeting. Compare and contrast each method.
There are many methods of budgeting once can implement, including incremental and activity-based. Incremental budgeting involves using the previous year’s financial records, adding or subtracting a percentage based on factors such as growth, market value, and inflation, and then using the final number for the next year’s budget. The incremental budget method is widely used as it is easy to design, enforce, and once this method is utilized for several years, it offers a pattern of growth, allowing for further optimization of future budgets. Incremental budgeting, while effective if the organization’s typical costs remain constant, can pose complications if there are variations. Also, as a manager, knowing that your next year’s budget depends directly on what was offered or spent in the previous year can influence a manager to falsely-increase their spending to receive more resources for the next year; this leads to inaccurate financial data, as well as poorly utilized resources (CFI, n.d.).
Activity-based budgeting is another commonly used method; in this process, a top-down approach of deciphering the correlation of inputs (business practices, sales, transactions) to outputs (revenue, sales) is used to meet the next year’s forecasted income target (CFI, n.d.). While the activity-based budgeting system can be excellent for many types of organizations, there is more room for improperly allocated funds, as merely going off of what you wish to earn in the next year, with no opinion on what you spent in the previous year, can lead to oversaturation of resources, thus, wasted funds. In security, the activity-based approach wouldn’t be as ideal as, for example, the incremental approach, as security’s effectiveness isn’t judged on what the department earns, but instead, what income (and reputation) it protects.
Find and explain at least one other information security budgeting process model.
In my opinion, the most remarkable budgeting tools upper-to-middle security management can utilize are ERP (enterprise resource planning) and asset procurement policies. Without an asset policy or ERP system to follow, it is often up to lower-management IT and infosec staff to decide who/what requires new equipment, what options are available, what security risks are present, and how to stay under budget; this can be potentially damaging as without proper communication from middle-to-upper management, enforcing budgets and meeting objectives can be quite daunting for those not well-versed in the practice.
There are several phases to the process of creating an ERP and asset procurement policy. For the research phase, one will want to gather data about the size of the company, the budget they are allotted, employee types, security threats, asset categories, replacement criteria, and the hardware/software it is currently using. Separating assets into categories minimizes the thinking involved, paperwork, and the time to solve each asset request. While assets can be broken down into several categories, there are often two main types: consumable and permanent.
Consumables are items such as inexpensive keyboards, headphones, mice, batteries, and USB cables; many of these items do not need to be itemized and tagged, providing the employee with a simple process of, for example, acquiring a new keyboard after a coffee incident. If one were in a smaller company with a more modest budget or suspect an employee is abusing consumable asset replacements, it might help to document the consumable inventory and all requests. Consumable asset quantities will change often, and quickly; due to this, these items should be stored so that one can easily see if a stock is getting low without counting them. Minimal thinking leads to minimal paperwork, which in turn, allows management to budget properly.
Permanent assets make up the bulk of the IT and infosec inventory and budget; thus, they can be further separated into multiple categories. Some example categories are travel, normal, and high-power. ‘Travel’ items are intended for employees who are mobile and do not require considerable operating power, such as salesmen, whereas a developer would require more advanced ‘high-power’ items. For those who do not fit in either the ‘travel’ or ‘high-power’ categories, they would receive ‘normal’ equipment. With the help of HR regarding new hires, IT can have their equipment ready in advance, prepare for future expansion, and turn budget nightmares into something more reasonable.
For larger companies, setting equipment standards is of great help by limiting the choices down to only a few versions of each device; for example, allowing employees to choose one out of two options of cell phones and PCs. By standardizing which equipment is available for the company to choose, it can prepare security procedures beforehand, reducing the threat of exposing the network to a potentially hazardous laptop without any form of anti-virus software installed, for example.
Another benefit of setting strict standards is being able to control what OS employees run, seamlessly roll out updates, and avoid favoritism. If an employee requests a device that differs from the standard options, have that employee provide the business justification, additional cost, and finally, the approval of the item from their manager, depending on the company. Making sure one researches and lists any possible security concerns with introducing a non-standard device to their superiors or the individuals requesting the item is another excellent practice to follow. More often than not, adding a new IT device that differs from what the IT and infosec team is accustomed to should be avoided, if possible.
A replacement program should also be introduced, which cycles equipment from old to new, to ensure that older devices are automatically replaced before they become obsolete. A replacement program should be as automated as possible, using data from the IT asset management system and a well-built timeline of each piece of hardware’s lifecycle. A simple method of deciding which devices need to be replaced is to use warranty expirations. For example, set a rule of warranty expirations to the nearest half-year, so that the warranties that expire in the first half of the year get replaced in the second half. By carefully researching hardware and replacing them before any issues occur, security can have greater visibility of any future problems and reduce the number of outages and downtime, thus benefiting budgets greatly.
Budgeting can be quite the challenge in today’s modern age, due to market fluctuations, cybercrime, the continued adoption of technology in various industries, and the always-changing skills that employees possess. In security, proper budgets provide proper defenses, thus highlighting the necessity of forecasted sales, expenses, and allocated funds. Due to security’s inability to produce earnings like many other departments, it is imperative for security management to showcase the importance of the security budget, offering insight on risks, threats, and rising trends in cybersecurity. It is up to all physical and digital defenders to help protect the organization from internal and external threats, as well as from itself, due to budget complications.
Goodchild, J. (2018, August 17). Bring These Security Metrics to Your Next Budget Meeting. Retrieved January 14, 2020, from https://securityintelligence.com/bring-these-security-metrics-to-your-next-budget-meeting-with-the-board/.
CFI. (n.d.). Types of Budgets – The Four Most Common Budgeting Methods. Retrieved January 14, 2020, from https://corporatefinanceinstitute.com/resources/knowledge/accounting/types-of-budgets-budgeting-methods/.
Fennelly, L. J. (2017). Effective Physical Security (5th ed.). Cambridge, MA: Elsevier.
McCrie, Robert. Security Operations Management (Third Edition). Butterworth-Heinemann.