When we speak of budgeting, there is not an exact science to quantify risk nor determine the likelihood of a threat materializing.  Although there are some elements that we can quantify and qualify, there are many unknowns.  Since each organization is different, there can be no cookie-cutter approach.

We can make some educated guesses based on the type of industry and actors attempting against us, and from those, propose the best approach for our organizations. There is no formula, because so much about budgeting is based on uncertainty, but we can make contingencies for different scenarios.

The first premise that we must build into budgeting is that risk cannot be eradicated.  It will be ever present because it is evolving.  In fact, we live with the fact that we are mitigating risk to the lowest possible level based on what we know.  

“What you know” is key here because we can never be certain how the security landscape will evolve.  We must be forthright with decision makers about the limitations of what we know.

Based on this and on our understanding of the business, we must establish communications with stakeholders about what we see potentially affecting the business, calculate the cost and then put forward a dollar amount to protect the organization.  That amount is a projection and unlikely the amount we will get.  It serves as a solid foundation.  This calculation disseminated to stakeholders is the starting point to negotiate from.   

By educating the decision makers about the risks, we place the onus of accepting or rejecting risk on them.  With that information at hand, it is for the stakeholders to determine what they are willing to accept.

“Understanding the business” means two things.  It means first, understanding what the enterprise does, and what things could potentially go bad.  Secondly, it means understanding how prevalent or pervasive the threats against that industry are.  Financial institutions, critical infrastructure and healthcare are major targets.  We do not hear about people trying to attack restaurants because the financial motive is not there.  However, this does not preclude them from opportunistic attacks.

Once potential threats are identified, we must determine whether the cost of securing against all of them is worth it.  The coverage costs may outstrip potential damages.  For the longest time, people opted for blanket coverage.  Yet not all assets are critical.  Understanding what is worth protecting and what is not is critical, otherwise the business will never make money.

To make budgeting decisions based on what we know, is essential to identify our assets.  There’s no way to protect an organization if we don’t know everything an organization has.  It’s like having 1,500 miles of border wall with a gap that allows a truck to drive through.  If our security metrics start with an inaccurate base, then the information that flows from it will be skewed.  And without a clear picture of what we must protect, our budget request will rest on rocky ground.

We must be forthright with decision makers about what we know and do not know and build relationships and trust links with different stakeholders in the organization.  This way we will be able to present the best information we have in a competent way and get the best budget possible.  At the same time, and very importantly, we do not want to create a false sense of security.  It is important to make disclaimers.

If we are not candid, people will put our feet to the fire, especially nowadays, when one may be liable as a chief information security officer if information is not disclosed or inaccurately reported.   And crucially, one puts one’s organization at risk by not doing so.