Build, Optimize, and Present a Risk-Based Security Budget
Get the budget you deserve.
- Year after year, CISOs need to develop a comprehensive security budget that is able to mitigate against threats.
- This budget will have to be defended against many other stakeholders to ensure there is proper funding.
- Security budgets are unlike other departmental budgets. Increases or decreases in the budget can drastically affect the organizational risk level.
- CISOs struggle with the ability to assess the effectiveness of their security controls and where to allocate money.
Our Advice
Critical Insight
- CISOs can demonstrate the value of security when they correlate mitigations to business operations and attribute future budgetary needs to business evolution.
- To identify the critical areas and issues that must be reflected in your security budget, develop a comprehensive corporate risk analysis and mitigation effectiveness model, which will illustrate where the moving targets are in your security posture.
Impact and Result
- Info-Tech’s methodology moves you away from the traditional budgeting approach to building a budget that is designed to be as dynamic as the business growth model.
- Collect your organization's requirements and build different budget options to describe how increases and decreases can affect the risk level.
- Discuss the different budgets with the business to determine what level of funding is needed for the desired level of security.
- Gain
approval of your budget early by preshopping and presenting the
budget to individual stakeholders prior to the final budget approval process.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
Client
Experience
Impact
$ Saved
Days Saved
Thompson Rivers University
Guided Implementation
8/10
N/A
N/A
This was an excellent introduction to the InfoTech tools for "Build, Optimize, and Present a Risk-Based Security Budget" however I will not be able... Read More
McLaren
Guided Implementation
8/10
N/A
2
Workshop: Build, Optimize, and Present a Risk-Based Security Budget
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Review Requirements for the Budget
The Purpose
- Understand your organization’s security requirements.
- Collect and review the requirements.
Key Benefits Achieved
- Requirements are gathered and understood, and they will provide priorities for the security budget.
Activities
Outputs
Define the scope and boundaries of the security budget.
- Defined scope and boundaries of the security budget
Review the security strategy.
Review other requirements as needed, such as the mitigation effectiveness assessment or risk tolerance level.
Module 2: Build the Budget
The Purpose
- Map business capabilities to security controls.
- Create a budget that represents how risk can affect the organization.
Key Benefits Achieved
- Finalized security budget that presents three different options to account for risk and mitigations.
Activities
Outputs
Identify major business capabilities.
Map capabilities to IT systems and security controls.
- Identified major business capabilities, mapped to the IT systems and controls
Categorize security controls by bare minimum, standard practice, and ideal.
Input all security controls.
Input all other expenses related to security.
Review the different budget options.
- Completed security budget providing three different options based on risk associated
Optimize the budget through defense-in-depth options.
Finalize the budget.
- Optimized security budget
Module 3: Present the Budget
The Purpose
- Prepare a presentation to speak with stakeholders early and build support prior to budget approvals.
- Present a pilot presentation and incorporate any feedback.
- Prepare for the final budget presentation.
Key Benefits Achieved
- Final presentations in which to present the completed budget and gain stakeholder feedback.
Activities
Outputs
Begin developing a communication strategy.
Build the preshopping report.
- Preshopping Report
Practice the presentation.
Conduct preshopping discussions with stakeholders.
Collect initial feedback and incorporate into the budget.
Prepare for the final budget presentation.
- Final Budget Presentation
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 3-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Review requirements for the budget
- Call 1: Determine which efficacy option is needed.
- Call 2: Review risk management work and the mitigation effectiveness assessment.
- Call 3: Review the security strategy and roadmap.
Guided Implementation 2: Build the budget
- Call 1: Map business capabilities to security controls.
- Call 2: Input all costs including security controls, general expenses, and IT-system specific expenses.
- Call 3: Review three budget outputs based on bare minimum, standard practice, and ideal need, and discuss how to optimize.
Guided Implementation 3: Present the budget
- Call 1: Develop budget stakeholder presentation.
- Call 2: Collect feedback and incorporate into the final budget request.
Contributors
- David Tyburski, CISO, Wynn Resorts
- Rich Mason, President & CISO, Critical Infrastructure, LLC
- Robert Hawk, Information Security Expert, xMatters, Inc.
- Sky Sharma, CIO
- Steven Woodward, CEO, Cloud Perspectives
Design and Implement a Business-Aligned Security Program
Build an Information Security Strategy
Secure Operations in High-Risk Jurisdictions
Develop a Security Awareness and Training Program That Empowers End Users
Build, Optimize, and Present a Risk-Based Security Budget
Hire or Develop a World-Class CISO
Fast Track Your GDPR Compliance Efforts
Build a Cloud Security Strategy
Identify the Components of Your Cloud Security Architecture
Security Priorities 2022
2020 Security Priorities Report
Manage Third-Party Service Security Outsourcing
Select a Security Outsourcing Partner
Improve Security Governance With a Security Steering Committee
The First 100 Days as CISO
Determine Your Zero Trust Readiness
Cost-Optimize Your Security Budget
Threat Preparedness Using MITRE ATT&CK®
Build a Zero Trust Roadmap
Security Priorities 2023
Security Priorities 2024