The majority of business leaders base their budget on current capabilities, adjusted incrementally for growth and new ventures.AS SEEN IN HARVARD BUSINESS REVIEW, NOV. 2015
For mature functions like accounting, which has been around since the Phoenicians first traded on the Mediterranean, this works just fine. You have three accountants to keep track of 100 ships, and when you add 100 more ships, you need three more accountants. The radically new and evolving field of information security, on the other hand, needs a different approach. Regardless of the industry, we see organizations attempting to advance their information security capabilities incrementally, based on their current and past security spend. This is usually a big mistake.
Information security has been largely ignored by business leaders for most of its existence and has always lagged the threats. At best, companies selected “a percentage of IT budget” and continued to revisit that percentage year after year without considering the company’s threat landscape. At worst, spending has been determined in a reactionary way, where security capabilities have been built up over time as a series of narrowly defined reactions and point solutions to address the most recent challenge. Rather than budgeting against a specific strategy for risk mitigation, IT teams scrambled for whatever budget could be found to put out a new fire. Invariably, this meant buying some technology to address the problem du jour. There was no long-term measurable plan. The budget wasn’t rationalized against the company’s top risks and tolerance. Or if there was a plan, it was developed as an afterthought.
Hopefully, no other part of your business budget cycle works this way. Leading practice in today’s environment is to take a risk-measured, zero-based budget approach to information security. Businesses are more aware than ever of the cyber threat and the enterprise risk it poses to reputation and the bottom line. So now it is time to get out a blank piece of paper and list your current security spend. Then carefully build a multi-year strategy and budget that serve the cyber risk landscape for your particular business.