November 8, 2018
Budget? For Information Security? – WST
The midterms are finally over, and the ads have mercifully ended. We all deserve a little credit for putting up with the insanity. But now, is the time to get back on track and plan out your budget for 2019. Or, did you assume it will just be a part of IT’s budget? According to the FFIEC Cybersecurity Assessment Tool, a “baseline” requirement indicates: “The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20).”
Whether you’ve already submitted your 2019 budget or not, you might consider the following items. It may help your planning for 2020, or you may find need to go back to your CFO and plead for mercy…
An Information security budget should include items such as:
- Independent assessments, tests and audits (e.g., pen tests, social engineering, vulnerability assessments, etc.)
- Software licenses for security-related systems (e.g., SIEM system, IPS/IDS systems, web content filters, firewalls, email security appliances, encryption, antivirus, scanners, etc.)
- Hardware – for leases or for planned upgrades/implementations. Include firewalls, servers, security appliances, and any other system that relates to the security infrastructure.
- Security Certificates and registrations (for websites, domain registrations, security appliances, etc.)
- Training and Conferences related to information security (incl. travel expenses)
- Misc. Services – Forensic examiner retainer, monitoring services, technical consultants, etc.
To keep pace with emerging threats and regulations, Information Security Programs need to continually grow skills and response capabilities. Be sure to factor in the expected annual price increases, product upgrade charges, etc. (include a “fudge factor,” in case prices come in more than expected you can still look good at year-end). Also, remember to factor in additional human resources needed to manage the expanding demands.
Some other budget planning suggestions:
- Maintain a “next year” planning worksheet and update it throughout the year, adding in reminders to include improvements that you’ve noted during the current budget period.
- Have a shortcut to your planning worksheet on your computer’s desktop, so you can easily find and modify it as you think of things throughout the year.
- Keep track of “actual” compared to “budgeted” expenses as the year progresses, to help in fine-tuning your estimates for next year’s budget.
- Notate what budget items are “must have” (such as IDS/IPS, firewalls, log management systems, testing, etc.) and what are “should have” – In case of budget cuts OR if the budget fairy gives you an unexpected allowance to improve your security posture. Either way, you will have ready answers.
- And for election years be sure to include a reasonable allowance request, to cover the bar tab you’ll need to endure the next onslaught of campaign ads.