As we head through fall, many financial professionals are focusing on the annual budget preparation "festivities." As it relates to technology, this year is no different than previous years. The focus is on how to allocate and justify capital investments to better drive the achievement of organizational objectives. Even more challenging for budgeting professionals is determining the right balance of cyber and information security spending—whether from an investment perspective to enable increasing sales and customer retention or from an overhead perspective used to ensure protection of assets, compliance with regulations, and prevention of stakeholder actions, including, but not limited to, lawsuits.
The appropriate budget allocation will vary by organization based on specific profiles, needs and available resources. Most large organizations have mature processes that sufficiently address these issues. However, many entrepreneurial businesses—e.g., small to midsize businesses (SMBs) and non-profit organizations (NPOs)—face challenges in determining the appropriate balance between security and mission in their financial allocations. For example, every dollar that a nonprofit spends on cybersecurity is not spent directly on the NPO's mission. For some NPOs, overspending on cybersecurity could affect the organization's ability to save a life.
As you enter budget negotiations relating to cybersecurity, you'll want to do the following:
- Review the overall cybersecurity program and strategy to determine how budget requests help achieve the organization's or program's objectives. Although traditional budgeting metrics may not properly evaluate cybersecurity investments, the rationale for the budgeted items and how they would address program and strategy needs—as reviewed by the appropriate governance function (usually at the board level)—should be clearly defined and understandable from a business perspective. For example, investments in developing partitioned networks may facilitate compliance with mandatory standards, such as those pertaining to the payment card industry, or provide the ability to deliver heightened security protection over highly sensitive assets.
- Reconcile previous cybersecurity purchases and investments to what is actually being used today. The information security function should be able to provide a reconciliation of prior purchases and their overall effectiveness. This helps to identify broken implementation processes that could result in wasted or unneeded purchases and also provides evidence of the information security function's ability to conduct appropriate due diligence for potential security investments. This particular technique helps identify the "chasing" of the trendy gadgets and tools that were popular during previous budget cycles but not sufficiently vetted to confirm their applicability to the organization's needs and environment. Another potential benefit of this reconciliation process is identifying technology no longer used and canceling related payments for maintenance, licensing renewal and other recurring fees.
- Invest in cost-effective automated security testing tools. The cost of automated security tools such as web application and network vulnerability scanners have dramatically decreased during the past few years, while their effectiveness and ability to detect potential exploits have significantly improved. These tools provide organizations with the ability to continuously test the effectiveness of their cybersecurity strategies to protect against the most common threats and exploits used by hackers. Although not a substitute for the more expensive penetration tests, these automated tools generally give organizations the ability to identify and repair many potential exploits. Organizations should complete a robust vulnerability assessment and remediation process before attempting a more expensive penetration test.
- Consider the use of managed security service providers (MSSPs) to perform high risk yet commodity-type services. MSSPs help organizations monitor activity and traffic, identify potential data leakage, expertly configure firewalls and provide 24/7 oversight for a fraction of what it would cost individual organizations to do so internally. Most importantly, MSSPs provide the evolving expertise needed to manage external threats—something very difficult for most organizations to handle internally.
- Support security awareness training to educate users on practices they can employ—and, perhaps even more importantly, avoid—in the battle to keep hackers at bay. Users of an organization's computing resources can help protect the computing environment by selecting strong passwords, and they can avoid opening the door to hackers by not clicking on tainted attachments or links, which are often delivered in cleverly disguised emails designed to fool users into introducing malware into the organization's network. Far too often, executives assume that users know how to do the right thing. Yet, even users who have had security training in the past need at least yearly updates on the rapidly evolving and increasingly sophisticated tools of deception hackers are using to break into networks and steal potentially damaging information, including customer credit card and Social Security numbers.
Enhancing your organization's cybersecurity posture does not have to be expensive. Alternatively, selecting only cheap alternatives does not make your organization secure. Clearly understanding business objectives and selecting street-smart cybersecurity strategies to facilitate those objectives are critical in ensuring cost-effective budgeting decisions.
Joel Lanz, CPA/CITP/CFF, CGMA is the founder and principal of Joel Lanz, CPA PC, a niche CPA practice focusing on information assurance, technology risk management, and security. He also chairs the AICPA Information Management and Technology Assurance Executive Committee and is an adjunct professor in the business school at The State University of New York at Old Westbury in Old Westbury, N.Y.