SlideShare une entreprise Scribd logo

Build Optimize and Present a Risk Based Security Budget

Télécharger en tant que PPTX, PDF
Info-Tech Research Group
Info-Tech Research Group

Your Challenge Year after year, CISOs need to develop a comprehensive security budget that is able to mitigate against threats. This budget will have to be defended against many other stakeholders to ensure there is proper funding. Security budgets are unlike other departmental budgets. Increases or decreases in the budget can drastically affect the organizational risk level. CISOs struggle with the ability to assess the effectiveness of their security controls and where to allocate money. Our Advice Critical Insight CISOs can demonstrate the value of security when they correlate mitigations to business operations and attribute future budgetary needs to business evolution. To identify the critical areas and issues that must be reflected in your security budget, develop a comprehensive corporate risk analysis and mitigation effectiveness model, which will illustrate where the moving targets are in your security posture. Impact and Result Info-Tech’s methodology moves you away from the traditional budgeting approach to building a budget that is designed to be as dynamic as the business growth model. Collect your organization's requirements and build different budget options to describe how increases and decreases can affect the risk level. Discuss the different budgets with the business to determine what level of funding is needed for the desired level of security. Gain approval of your budget early by preshopping and presenting the budget to individual stakeholders prior to the final budget approval process.

Technologie
1  sur  12
Info-Tech Research Group 1Info-Tech Research Group 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2017 Info-Tech Research Group Inc. Build, Optimize, and Present a Risk-Based Security Budget Get the budget you deserve. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2017 Info-Tech Research Group
Info-Tech Research Group 2Info-Tech Research Group 2 We often hear about security budgets being built on what was allocated last year plus a little extra for contingency. In that vein, whenever there is a desire to increase the security budget, the amount that is requested is often just a guess of what would actually be needed. That doesn’t work anymore. Here at Info-Tech, we want you to build a risk-based security budget. With this approach, you will look at how different security controls change the overall risk level of the organization, while also examining the effectiveness of the controls themselves. This will allow your budget to evolve with the business growth model and still ensure that you are providing the correct level of security. The process will make it easier to discuss security with the business and ensure they understand what the true value of mitigation is. Filipe De Souza, Research Manager – Security, Risk & Compliance Info-Tech Research Group Move away from the traditional approach to a risk-based budget. ANALYST PERSPECTIVE
Info-Tech Research Group 3Info-Tech Research Group 3 This Research is Designed For: This Research Will Help You: This Research Will Assist: This Research Will Help You: This Research Is Designed For: This Research Will Help You: This Research Will Also Assist: This Research Will Help Them: Our understanding of the problem CISOs or equivalent Identify what requirements are needed for a defensible security budget. Allocate funds based on the mitigation effectiveness and risk model of the organization. Articulate and present security to the business as a necessary cost of doing business. CIOs Incorporate the security budget as part of the larger IT budget. Understand how to explain the value of security to the rest of the organization.
Info-Tech Research Group 4Info-Tech Research Group 4 Resolution Situation Complication Executive summary • Year after year, CISOs need to develop a comprehensive security budget that is able to mitigate against threats. • The budget will have to be defended to other stakeholders to ensure that there is proper funding. • Security budgets are unlike other departmental budgets. Increases or decreases in the budget can drastically affect the organization’s ability to address risk. • CISOs struggle with the ability to assess the effectiveness of their security controls and determine where to allocate money. • Info-Tech’s methodology moves you away from the traditional budgeting approach to build a budget that is designed to be as dynamic as the business growth model. • Collect the requirements of your organization and build different budget options to describe how increases/decreases can affect the risk level. • Discuss these different budgets with the business to determine what level of funding is needed for the desired level of security. • Gain easy approval of your budget by “preshopping” and presenting the budget early to individual stakeholders prior to the final budget approval process. 1. CISOs can demonstrate the value of security when mitigations are correlated to business operations and any future budgetary needs are properly attributed to business evolution. 2. Develop a comprehensive corporate risk analysis and mitigation effectiveness model. This will illustrate the moving targets in your security posture, which helps identify critical issues to include in your budget.
Info-Tech Research Group 5Info-Tech Research Group 5 It’s time to start thinking and talking about security budgets differently COGS (cost of goods sold): the costs needed for the production of goods or services that are produced by an organization. • Security is often seen as solely a function of the IT or security department, instead of being integral to every business operation. This should be a shift in thought of security as a COGS to the business. Security  COGS can be described at two levels: • At a high level, where it communicates how security enables business functions more generally. • At the individual project or initiative level, where security must be included as part of the initial budgets to ensure it is accounted for from the very beginning. The security budget is no traditional budget. Companies need to evolve their security budgeting process to deal with the demands of today’s cybersecurity issues. • Previous budgetary methodologies were based on contained, static environments. • Organizations have become stagnant with their budget processes, as employees tend to follow what their predecessor did rather than challenge the status quo. Start building your budget with a view into the risk your organization faces. • By focusing on how different budget allocations can change the organization’s ability to address risk (organizational risk level), it becomes easier to communicate with business stakeholders on the need for different controls. Go a step further and start describing security as a COGS to the business. Security is often seen as a sunk cost to the business and has been difficult to budget for. Security is no longer considered optional. Demonstrate how security is now the regular cost of doing business.
Info-Tech Research Group 6Info-Tech Research Group 6 Build a high-quality security budget by measuring mitigation effectiveness and connecting this to business capabilities CISOs can demonstrate the value of security when mitigations are correlated to business operations and any future budgetary needs are properly attributed to business evolution. This is where you can transition thinking about security to a COGS for the business. To identify the critical areas and issues that need to be reflected in your security budget, you need to develop a comprehensive corporate risk analysis and mitigation effectiveness model that will illustrate where the moving targets are in your security posture. Problem: Organizations struggle to know how to budget for security, as they are unsure which controls are working effectively. Budgeting is done through a great deal of guesswork and often leads to budget constraints, as there was not the proper planning and analysis at the beginning. • In a SolarWinds federal cybersecurity survey, budget constraints is at the top of a list, at 29%, of obstacles to maintaining or improving a federal agency’s IT security. 29% Problem: Security professionals struggle to articulate the value of security to the board and other executives. This makes it difficult for these same individuals to allocate money to security initiatives and controls, when they are looking toward more revenue-generating areas instead. • In a Ponemon Institute study on IT security spending and investments, 64% of survey respondents indicated that the security budget was not on the board’s agenda due to lack of “expertise and knowledge about security.” • 36% indicated that IT security was not even considered a priority issue. 64%
Info-Tech Research Group 7Info-Tech Research Group 7 Build the budget Review requirements for the budget Present the budget • This phase will involve: o Performing the correct level of analysis before building the budget itself. o This can include performing a mitigation effectiveness assessment, conducting a risk analysis, and refining your security strategy. • The level of requirements that need to be collected vary from organization to organization. There are three different efficacy options that can be used to determine what should be done. • See the next slide for an overview of the different requirements options that are available. • This phase will involve: o Inputting requirements identified in phase 1 into the budget. o This will include an identification of how security controls relate to IT systems and business capabilities. • Next, you will focus on the creation of an overall budget that is split for you into three different budgets based on three different risk profiles. o This will help demonstrate how changes to the budget can change the risk levels accordingly. • With the budget complete, this phase involves: o Starting with “preshopping,” where there are one-on-one sessions conducted with stakeholders prior to the final presentation. This will solicit feedback and make budget updates as needed. o Final presentation of the budget. • Finally, the budget can go to the final budget committee where there is additional support for how to succeed and gain approval. Info-Tech’s methodology to building the budget consists of three phases
Info-Tech Research Group 8Info-Tech Research Group 8 There are three options when it comes to building a security budget. These include: 1. High Efficacy Option • This method is valuable for organizations that need to build a highly defensible budget based on their threat model and their corresponding mitigations. 2. Medium Efficacy Option • This is valuable for organizations that need some level of validation for their security budget but may not require as much of a deep dive as the second option. 3. Low Efficacy Option • For organizations that do not struggle to defend a security budget, this method allows for the budget to be easily built and then presented. Phase 1 Phase 3Phase 2 Start How do I want to build my budget? Build the budget Low Efficacy Perform a Mitigation Effectiveness Assessment Build the budget Medium Efficacy Define the information security risk tolerance Conduct a risk analysis of the entire IT environment Perform a mitigation effectiveness assessment Develop and refine the information security strategy Build the budget High Efficacy Present the budget End In phase 1, you will review the different efficacy options in building your security budget
Info-Tech Research Group 9Info-Tech Research Group 9 High Efficacy Option A high-efficacy budget is for you if you say yes to most of these questions: • Am I able to operate effectively with the budget that I am being allocated? • Am I regularly asked why certain security controls are needed? • Do I struggle to justify security expenses to our executives and/or board? • Am I aware of how effective my current security controls are in mitigating against risk? • What is my risk tolerance level? Is my budget allowing me to stay below an acceptable level of risk? • Are my security expenditures related to my security strategy, and by extension, the larger business strategy? Start Define the information security risk tolerance Conduct a risk analysis of the entire IT environment Perform a mitigation effectiveness assessment Develop and refine the information security strategy Build the budget Present the budget End Phase 1 Phase 2 Phase 3 This option allows for a highly defensible security budget as it involves: • Defining a risk tolerance level to compare how different expenses exceed or stay below this level. • Conducting a risk analysis of the organization to understand where the largest risks are that need resources. • Performing an assessment to understand how effective security controls and mitigations are against your risk tolerance. • Refining the security strategy to incorporate all of the risk findings through prioritization.
Info-Tech Research Group 10Info-Tech Research Group 10 Medium Efficacy Option Phase 1 Phase 2 Phase 3 Start Perform a Mitigation Effectiveness Assessment Build the budget Present the budget End For the medium efficacy option, consider the trade-offs between time, quality, and money: • Quality: Am I looking to build a highly defensible budget that demonstrates the effectiveness of my controls? o Consider the high efficacy option. OR • Money: Do I find that security can be difficult to justify at times but overall has the support of the business? • Time: Am I too time constrained to perform in-depth budget & risk analysis, but I still want some evaluation of mitigations? o Consider the medium efficacy option. OR • Money & Time: Am I able to get security spend approved easily and need to complete a budget quickly? o Consider the low efficacy option. This option allows for a budget to be built with some defensibility, but without the depth that the high efficacy option includes. This includes: • Performing a mitigation effectiveness assessment so that, at minimum, an understanding of the security controls and their ability to mitigate against the organizational threat model is well understood. This allows for a budget that needs less of the prework involved with building a risk model and still provides a defensible model that demonstrates the effectiveness of security controls.
Info-Tech Research Group 11Info-Tech Research Group 11 Low Efficacy Option Phase 3 Present the budget Phase 2 Start Build the budget End A low efficacy budget is for you if you say yes to most of these questions: • Are my business stakeholders supporters of security? • Does my culture not allow for in-depth analysis during budgeting? • Is it easy to secure funding for new projects and initiatives? • Have I found previous security budgets easy to justify and get approved? • Am I too time constrained to complete any of the other efficacy options and need to complete my budget as soon as possible? This option allows you to go directly to building the budget itself. While it does not include an evaluation of the risk or an overview into the effectiveness of controls, you can still take advantage of the Security Budgeting Tool and accompanying presentation templates. Here, we will focus solely on how to build the budget and how to present it. This is ideal for organizations that do not require their budgets to have a high degree of defensibility and where obtaining security funds is easier.
Info-Tech Research Group ‹#› Info-Tech Research Group Helps IT Professionals To:  Quickly get up to speed with new technologies  Make the right technology purchasing decisions – fast  Deliver critical IT projects, on time and within budget  Manage business expectations  Justify IT spending and prove the value of IT  Train IT staff and effectively manage an IT department Toll Free: 1-888-670-8889

Recommandé

Select and Implement a Next Generation Endpoint Protection Solution
Select and Implement a Next Generation Endpoint Protection SolutionSelect and Implement a Next Generation Endpoint Protection Solution
Select and Implement a Next Generation Endpoint Protection SolutionInfo-Tech Research Group
 
Create a Winning BPI Playbook
Create a Winning BPI PlaybookCreate a Winning BPI Playbook
Create a Winning BPI PlaybookInfo-Tech Research Group
 
Master Contract Review and Negotiation For Software Agreements-sample
Master Contract Review and Negotiation For Software Agreements-sampleMaster Contract Review and Negotiation For Software Agreements-sample
Master Contract Review and Negotiation For Software Agreements-sampleInfo-Tech Research Group
 
Optimize Change Management
Optimize Change ManagementOptimize Change Management
Optimize Change ManagementInfo-Tech Research Group
 
Improve IT Business Alignment With An Infrastructure Roadmap
Improve IT Business Alignment With An Infrastructure RoadmapImprove IT Business Alignment With An Infrastructure Roadmap
Improve IT Business Alignment With An Infrastructure RoadmapInfo-Tech Research Group
 
Build a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramBuild a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramInfo-Tech Research Group
 
Standardize the Service Desk
Standardize the Service DeskStandardize the Service Desk
Standardize the Service DeskInfo-Tech Research Group
 
Optimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationOptimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationInfo-Tech Research Group
 

Recommandé

Select and Implement a Next Generation Endpoint Protection Solution
Select and Implement a Next Generation Endpoint Protection SolutionSelect and Implement a Next Generation Endpoint Protection Solution
Select and Implement a Next Generation Endpoint Protection SolutionInfo-Tech Research Group
 
Create a Winning BPI Playbook
Create a Winning BPI PlaybookCreate a Winning BPI Playbook
Create a Winning BPI PlaybookInfo-Tech Research Group
 
Master Contract Review and Negotiation For Software Agreements-sample
Master Contract Review and Negotiation For Software Agreements-sampleMaster Contract Review and Negotiation For Software Agreements-sample
Master Contract Review and Negotiation For Software Agreements-sampleInfo-Tech Research Group
 
Optimize Change Management
Optimize Change ManagementOptimize Change Management
Optimize Change ManagementInfo-Tech Research Group
 
Improve IT Business Alignment With An Infrastructure Roadmap
Improve IT Business Alignment With An Infrastructure RoadmapImprove IT Business Alignment With An Infrastructure Roadmap
Improve IT Business Alignment With An Infrastructure RoadmapInfo-Tech Research Group
 
Build a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramBuild a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramInfo-Tech Research Group
 
Standardize the Service Desk
Standardize the Service DeskStandardize the Service Desk
Standardize the Service DeskInfo-Tech Research Group
 
Optimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationOptimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationInfo-Tech Research Group
 
Modernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureModernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureInfo-Tech Research Group
 
Optimize the IT Operating Model
Optimize the IT Operating ModelOptimize the IT Operating Model
Optimize the IT Operating ModelInfo-Tech Research Group
 
Info-Tech Membership Overview
Info-Tech Membership OverviewInfo-Tech Membership Overview
Info-Tech Membership OverviewInfo-Tech Research Group
 
Define an EA Operating Model
Define an EA Operating ModelDefine an EA Operating Model
Define an EA Operating ModelInfo-Tech Research Group
 
Become a Transformational CIO
Become a Transformational CIOBecome a Transformational CIO
Become a Transformational CIOInfo-Tech Research Group
 
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsCraft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsInfo-Tech Research Group
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security StrategyInfo-Tech Research Group
 
Build an Application Integration Strategy
Build an Application Integration StrategyBuild an Application Integration Strategy
Build an Application Integration StrategyInfo-Tech Research Group
 
Develop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyDevelop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyInfo-Tech Research Group
 
Implement an enterprise service bus revised
Implement an enterprise service bus revisedImplement an enterprise service bus revised
Implement an enterprise service bus revisedInfo-Tech Research Group
 
Implement a Shared Services Model
Implement a Shared Services ModelImplement a Shared Services Model
Implement a Shared Services ModelInfo-Tech Research Group
 
Assess and Optimize EA Capability
Assess and Optimize EA CapabilityAssess and Optimize EA Capability
Assess and Optimize EA CapabilityInfo-Tech Research Group
 
Survive an Impending Audit
Survive an Impending AuditSurvive an Impending Audit
Survive an Impending AuditInfo-Tech Research Group
 
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsStay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsInfo-Tech Research Group
 
Fast track critical leadership skills
Fast track critical leadership skillsFast track critical leadership skills
Fast track critical leadership skillsInfo-Tech Research Group
 
Enterprise mobility management
Enterprise mobility managementEnterprise mobility management
Enterprise mobility managementInfo-Tech Research Group
 
Create a right sized disaster recovery plan
Create a right sized disaster recovery planCreate a right sized disaster recovery plan
Create a right sized disaster recovery planInfo-Tech Research Group
 
The 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureThe 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureInfo-Tech Research Group
 
Decode the Corporate Strategy
Decode the Corporate StrategyDecode the Corporate Strategy
Decode the Corporate StrategyInfo-Tech Research Group
 
Manage a Minimum-Viable PMO
Manage a Minimum-Viable PMOManage a Minimum-Viable PMO
Manage a Minimum-Viable PMOInfo-Tech Research Group
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 

Contenu connexe

Plus de Info-Tech Research Group

Modernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureModernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureInfo-Tech Research Group
 
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsCraft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsInfo-Tech Research Group
 
Develop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyDevelop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyInfo-Tech Research Group
 
Implement an enterprise service bus revised
Implement an enterprise service bus revisedImplement an enterprise service bus revised
Implement an enterprise service bus revisedInfo-Tech Research Group
 
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsStay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsInfo-Tech Research Group
 
Create a right sized disaster recovery plan
Create a right sized disaster recovery planCreate a right sized disaster recovery plan
Create a right sized disaster recovery planInfo-Tech Research Group
 
The 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureThe 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureInfo-Tech Research Group
 

Plus de Info-Tech Research Group (20)

Modernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureModernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration Infrastructure
 
Optimize the IT Operating Model
Optimize the IT Operating ModelOptimize the IT Operating Model
Optimize the IT Operating Model
 
Info-Tech Membership Overview
Info-Tech Membership OverviewInfo-Tech Membership Overview
Info-Tech Membership Overview
 
Define an EA Operating Model
Define an EA Operating ModelDefine an EA Operating Model
Define an EA Operating Model
 
Become a Transformational CIO
Become a Transformational CIOBecome a Transformational CIO
Become a Transformational CIO
 
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsCraft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Build an Application Integration Strategy
Build an Application Integration StrategyBuild an Application Integration Strategy
Build an Application Integration Strategy
 
Develop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyDevelop a Project Portfolio Management Strategy
Develop a Project Portfolio Management Strategy
 
Implement an enterprise service bus revised
Implement an enterprise service bus revisedImplement an enterprise service bus revised
Implement an enterprise service bus revised
 
Implement a Shared Services Model
Implement a Shared Services ModelImplement a Shared Services Model
Implement a Shared Services Model
 
Assess and Optimize EA Capability
Assess and Optimize EA CapabilityAssess and Optimize EA Capability
Assess and Optimize EA Capability
 
Survive an Impending Audit
Survive an Impending AuditSurvive an Impending Audit
Survive an Impending Audit
 
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsStay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
 
Fast track critical leadership skills
Fast track critical leadership skillsFast track critical leadership skills
Fast track critical leadership skills
 
Enterprise mobility management
Enterprise mobility managementEnterprise mobility management
Enterprise mobility management
 
Create a right sized disaster recovery plan
Create a right sized disaster recovery planCreate a right sized disaster recovery plan
Create a right sized disaster recovery plan
 
The 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureThe 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise Architecture
 
Decode the Corporate Strategy
Decode the Corporate StrategyDecode the Corporate Strategy
Decode the Corporate Strategy
 
Manage a Minimum-Viable PMO
Manage a Minimum-Viable PMOManage a Minimum-Viable PMO
Manage a Minimum-Viable PMO
 

Dernier

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 

Dernier (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 

Build Optimize and Present a Risk Based Security Budget

  • 1. Info-Tech Research Group 1Info-Tech Research Group 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2017 Info-Tech Research Group Inc. Build, Optimize, and Present a Risk-Based Security Budget Get the budget you deserve. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2017 Info-Tech Research Group
  • 2. Info-Tech Research Group 2Info-Tech Research Group 2 We often hear about security budgets being built on what was allocated last year plus a little extra for contingency. In that vein, whenever there is a desire to increase the security budget, the amount that is requested is often just a guess of what would actually be needed. That doesn’t work anymore. Here at Info-Tech, we want you to build a risk-based security budget. With this approach, you will look at how different security controls change the overall risk level of the organization, while also examining the effectiveness of the controls themselves. This will allow your budget to evolve with the business growth model and still ensure that you are providing the correct level of security. The process will make it easier to discuss security with the business and ensure they understand what the true value of mitigation is. Filipe De Souza, Research Manager – Security, Risk & Compliance Info-Tech Research Group Move away from the traditional approach to a risk-based budget. ANALYST PERSPECTIVE
  • 3. Info-Tech Research Group 3Info-Tech Research Group 3 This Research is Designed For: This Research Will Help You: This Research Will Assist: This Research Will Help You: This Research Is Designed For: This Research Will Help You: This Research Will Also Assist: This Research Will Help Them: Our understanding of the problem CISOs or equivalent Identify what requirements are needed for a defensible security budget. Allocate funds based on the mitigation effectiveness and risk model of the organization. Articulate and present security to the business as a necessary cost of doing business. CIOs Incorporate the security budget as part of the larger IT budget. Understand how to explain the value of security to the rest of the organization.
  • 4. Info-Tech Research Group 4Info-Tech Research Group 4 Resolution Situation Complication Executive summary • Year after year, CISOs need to develop a comprehensive security budget that is able to mitigate against threats. • The budget will have to be defended to other stakeholders to ensure that there is proper funding. • Security budgets are unlike other departmental budgets. Increases or decreases in the budget can drastically affect the organization’s ability to address risk. • CISOs struggle with the ability to assess the effectiveness of their security controls and determine where to allocate money. • Info-Tech’s methodology moves you away from the traditional budgeting approach to build a budget that is designed to be as dynamic as the business growth model. • Collect the requirements of your organization and build different budget options to describe how increases/decreases can affect the risk level. • Discuss these different budgets with the business to determine what level of funding is needed for the desired level of security. • Gain easy approval of your budget by “preshopping” and presenting the budget early to individual stakeholders prior to the final budget approval process. 1. CISOs can demonstrate the value of security when mitigations are correlated to business operations and any future budgetary needs are properly attributed to business evolution. 2. Develop a comprehensive corporate risk analysis and mitigation effectiveness model. This will illustrate the moving targets in your security posture, which helps identify critical issues to include in your budget.
  • 5. Info-Tech Research Group 5Info-Tech Research Group 5 It’s time to start thinking and talking about security budgets differently COGS (cost of goods sold): the costs needed for the production of goods or services that are produced by an organization. • Security is often seen as solely a function of the IT or security department, instead of being integral to every business operation. This should be a shift in thought of security as a COGS to the business. Security  COGS can be described at two levels: • At a high level, where it communicates how security enables business functions more generally. • At the individual project or initiative level, where security must be included as part of the initial budgets to ensure it is accounted for from the very beginning. The security budget is no traditional budget. Companies need to evolve their security budgeting process to deal with the demands of today’s cybersecurity issues. • Previous budgetary methodologies were based on contained, static environments. • Organizations have become stagnant with their budget processes, as employees tend to follow what their predecessor did rather than challenge the status quo. Start building your budget with a view into the risk your organization faces. • By focusing on how different budget allocations can change the organization’s ability to address risk (organizational risk level), it becomes easier to communicate with business stakeholders on the need for different controls. Go a step further and start describing security as a COGS to the business. Security is often seen as a sunk cost to the business and has been difficult to budget for. Security is no longer considered optional. Demonstrate how security is now the regular cost of doing business.
  • 6. Info-Tech Research Group 6Info-Tech Research Group 6 Build a high-quality security budget by measuring mitigation effectiveness and connecting this to business capabilities CISOs can demonstrate the value of security when mitigations are correlated to business operations and any future budgetary needs are properly attributed to business evolution. This is where you can transition thinking about security to a COGS for the business. To identify the critical areas and issues that need to be reflected in your security budget, you need to develop a comprehensive corporate risk analysis and mitigation effectiveness model that will illustrate where the moving targets are in your security posture. Problem: Organizations struggle to know how to budget for security, as they are unsure which controls are working effectively. Budgeting is done through a great deal of guesswork and often leads to budget constraints, as there was not the proper planning and analysis at the beginning. • In a SolarWinds federal cybersecurity survey, budget constraints is at the top of a list, at 29%, of obstacles to maintaining or improving a federal agency’s IT security. 29% Problem: Security professionals struggle to articulate the value of security to the board and other executives. This makes it difficult for these same individuals to allocate money to security initiatives and controls, when they are looking toward more revenue-generating areas instead. • In a Ponemon Institute study on IT security spending and investments, 64% of survey respondents indicated that the security budget was not on the board’s agenda due to lack of “expertise and knowledge about security.” • 36% indicated that IT security was not even considered a priority issue. 64%
  • 7. Info-Tech Research Group 7Info-Tech Research Group 7 Build the budget Review requirements for the budget Present the budget • This phase will involve: o Performing the correct level of analysis before building the budget itself. o This can include performing a mitigation effectiveness assessment, conducting a risk analysis, and refining your security strategy. • The level of requirements that need to be collected vary from organization to organization. There are three different efficacy options that can be used to determine what should be done. • See the next slide for an overview of the different requirements options that are available. • This phase will involve: o Inputting requirements identified in phase 1 into the budget. o This will include an identification of how security controls relate to IT systems and business capabilities. • Next, you will focus on the creation of an overall budget that is split for you into three different budgets based on three different risk profiles. o This will help demonstrate how changes to the budget can change the risk levels accordingly. • With the budget complete, this phase involves: o Starting with “preshopping,” where there are one-on-one sessions conducted with stakeholders prior to the final presentation. This will solicit feedback and make budget updates as needed. o Final presentation of the budget. • Finally, the budget can go to the final budget committee where there is additional support for how to succeed and gain approval. Info-Tech’s methodology to building the budget consists of three phases
  • 8. Info-Tech Research Group 8Info-Tech Research Group 8 There are three options when it comes to building a security budget. These include: 1. High Efficacy Option • This method is valuable for organizations that need to build a highly defensible budget based on their threat model and their corresponding mitigations. 2. Medium Efficacy Option • This is valuable for organizations that need some level of validation for their security budget but may not require as much of a deep dive as the second option. 3. Low Efficacy Option • For organizations that do not struggle to defend a security budget, this method allows for the budget to be easily built and then presented. Phase 1 Phase 3Phase 2 Start How do I want to build my budget? Build the budget Low Efficacy Perform a Mitigation Effectiveness Assessment Build the budget Medium Efficacy Define the information security risk tolerance Conduct a risk analysis of the entire IT environment Perform a mitigation effectiveness assessment Develop and refine the information security strategy Build the budget High Efficacy Present the budget End In phase 1, you will review the different efficacy options in building your security budget
  • 9. Info-Tech Research Group 9Info-Tech Research Group 9 High Efficacy Option A high-efficacy budget is for you if you say yes to most of these questions: • Am I able to operate effectively with the budget that I am being allocated? • Am I regularly asked why certain security controls are needed? • Do I struggle to justify security expenses to our executives and/or board? • Am I aware of how effective my current security controls are in mitigating against risk? • What is my risk tolerance level? Is my budget allowing me to stay below an acceptable level of risk? • Are my security expenditures related to my security strategy, and by extension, the larger business strategy? Start Define the information security risk tolerance Conduct a risk analysis of the entire IT environment Perform a mitigation effectiveness assessment Develop and refine the information security strategy Build the budget Present the budget End Phase 1 Phase 2 Phase 3 This option allows for a highly defensible security budget as it involves: • Defining a risk tolerance level to compare how different expenses exceed or stay below this level. • Conducting a risk analysis of the organization to understand where the largest risks are that need resources. • Performing an assessment to understand how effective security controls and mitigations are against your risk tolerance. • Refining the security strategy to incorporate all of the risk findings through prioritization.
  • 10. Info-Tech Research Group 10Info-Tech Research Group 10 Medium Efficacy Option Phase 1 Phase 2 Phase 3 Start Perform a Mitigation Effectiveness Assessment Build the budget Present the budget End For the medium efficacy option, consider the trade-offs between time, quality, and money: • Quality: Am I looking to build a highly defensible budget that demonstrates the effectiveness of my controls? o Consider the high efficacy option. OR • Money: Do I find that security can be difficult to justify at times but overall has the support of the business? • Time: Am I too time constrained to perform in-depth budget & risk analysis, but I still want some evaluation of mitigations? o Consider the medium efficacy option. OR • Money & Time: Am I able to get security spend approved easily and need to complete a budget quickly? o Consider the low efficacy option. This option allows for a budget to be built with some defensibility, but without the depth that the high efficacy option includes. This includes: • Performing a mitigation effectiveness assessment so that, at minimum, an understanding of the security controls and their ability to mitigate against the organizational threat model is well understood. This allows for a budget that needs less of the prework involved with building a risk model and still provides a defensible model that demonstrates the effectiveness of security controls.
  • 11. Info-Tech Research Group 11Info-Tech Research Group 11 Low Efficacy Option Phase 3 Present the budget Phase 2 Start Build the budget End A low efficacy budget is for you if you say yes to most of these questions: • Are my business stakeholders supporters of security? • Does my culture not allow for in-depth analysis during budgeting? • Is it easy to secure funding for new projects and initiatives? • Have I found previous security budgets easy to justify and get approved? • Am I too time constrained to complete any of the other efficacy options and need to complete my budget as soon as possible? This option allows you to go directly to building the budget itself. While it does not include an evaluation of the risk or an overview into the effectiveness of controls, you can still take advantage of the Security Budgeting Tool and accompanying presentation templates. Here, we will focus solely on how to build the budget and how to present it. This is ideal for organizations that do not require their budgets to have a high degree of defensibility and where obtaining security funds is easier.
  • 12. Info-Tech Research Group ‹#› Info-Tech Research Group Helps IT Professionals To:  Quickly get up to speed with new technologies  Make the right technology purchasing decisions – fast  Deliver critical IT projects, on time and within budget  Manage business expectations  Justify IT spending and prove the value of IT  Train IT staff and effectively manage an IT department Toll Free: 1-888-670-8889