Setting your security budget

How does your Organisation decide how much money to spend on security?

by Jon Roadnight

With an ever-increasing need to justify and account for all forms of business expenditure, how does an organisation decide how big its security budget should be?

There is often pressure to deliver productivity improvements and this frequently results in the desire to reduce costs. Cost-reduction measures can be implemented through traditional programs, such as outsourcing, offshoring and strategic sourcing, but all too often they include other isolated cost-reduction activities of the kind that can leave security budgets misaligned with either the level of security risk or the needs of the business.

Download pdf

Methodology

‘Incremental Budgeting’

When it comes to the budgeting process, there are several popular methodologies.

The use of “incremental budgeting” or the technique of using a previous period’s actual or forecast costs as the basis for the predicted future expenditure, makes a significant assumption; namely, that the previous budget was originally aligned with the business’s needs and that it will continue to fit the organisation’s future environment.

This method of budgeting is prevalent as it enables executives and finance managers to quickly develop the ‘cost’ side of the financial plan. Simply applying a fixed percentage decrease or increase to the previous budget enables quick progress and in an environment where time is always at a premium, why wouldn’t an incremental budget process achieve the desired objective of predicting how much money needs to be spent on security in the coming year?

‘Cost-based’ approach

A more comprehensive approach could be to use a ‘cost-based’ or ‘zero-based’ budget methodology. There are many versions of ‘zero-based’ budgeting but they all work on the basis of ‘building the budget from zero’ or, in other words, not using the previous year’s costs as the starting point but to consider every cost item necessary to run and develop the business. The ‘zero-based’ approach has its drawbacks in terms of time and effort but it does achieve the goal of ensuring that budgets – including the security budget - are correctly aligned to evolving environments.

So, ‘How does your organisation decide how much money to spend on security’?

By now you may be wondering what budgeting methodologies have to do with the initial question: How does your Organisation decide how much money to spend on security?

The simple answer is: the method deployed to develop your business operating budget must ensure that there is no disconnect between the current needs of your organisation and what the budget must enable you to deliver. Relative to security, budgets are all too often determined by incrementally increasing or decreasing the amount spent in a previous year; or, security overheads, which have built up over a period of time, are simply maintained. This type of budgeting demonstrates far too little effort and understanding of why money should be spent on specific, prioritised risk control measures.

How should the security budget be developed?

To answer this question, the security needs of the business must be thoroughly understood. Services can be provided and capital investment could be made based on a range of considerations. When an organisation is looking to apportion an appropriate budget for security it is essential that a number of “foundation factors” are fully understood. This informed position can be developed at any time but, if it is intended to influence decision making related to the budget, then it is recommended that it commences at least 6 months, if not 9 months in advance of the budget publication date.

Foundation Factors

“Foundation factors” provide the information platform for future decision making. The stronger and broader the foundation factors are, the more closely aligned to the business needs any future security decision will be.

So, is your business spending too much money on security or not enough? Are you focussing your expenditure in the right areas or leaving vulnerabilities exposed to exploitation? Is the security budget absorbing other business service costs that should be part of a different budget? The first step in understanding the answer to these questions is to build a strong set of foundation factors.

Security Threats and Risks

The first “foundation factors” to consider are security threats and risks. This is a subject that often gets disconnected from the budgeting process but is essential in setting the tone for the type and scale of potential mitigation measures that may be necessary. The threat environment and risk exposure has to be contextual. That is to say that your geographic location, proximity to external threats, industry, environment, assets etc. are all relevant when measuring threat and risk exposure.

A “high risk” business operation in an environment exposed to a significant threat level will typically require a larger security budget than a “low risk business operating in a location where security threats are minimal. There are other factors that will influence that decision and we’ll return to the subject of “risk tolerance” shortly.

It is surprising how regularly the security threat and risk situation plays only an incidental role in deciding what the security budget should focus on and what level of investment should be made. By understanding the security threat and risk environment you should be able to develop a hierarchy of risks which will enable prioritisation and also connectivity – where the mitigation of one risk automatically helps to mitigate another.

Foundation Factors

Risk Tolerance and Operational Requirements

A further “foundation factor” that needs to be established is the tolerance the business has towards security risks. A significant tolerance for risk may result in a reduced security budget but how risk averse can your business afford to be? In recent year’s there have been numerous, well-publicised cyber and physical security breaches which have resulted in the victim organisations’ share price being substantially, negatively impacted and in some cases ended in senior company officers losing their positions. Understanding how much exposure to risk a business is prepared to live with can allow executives and finance managers to factor this into their budgeting processes.

Operational Requirements.

The clearer the operational requirements are communicated, the closer the security measures can be aligned to the business needs. As an example, it would be easy to identify the need for a security guard at reception, if the operational requirement identified that all visitors were to be escorted beyond reception by an authorised person as a consequence of the security risk associated with having non-authorised people in functional business areas. Once the level of risk tolerance is factored in, the result becomes a clear justification that should be considered for inclusion within the budget.

Other Foundation Factors

Other “foundation factors” include items such as the Security Strategy, the Security Master Plan, equipment life cycles, Crisis Management, Business Continuity and Disaster Recovery Plans, as well as other organisation specific information.

Other Foundation Factors

  • SECURITY STRATEGY
  • SECURITY THREATS AND RISKS
  • SECURITY MASTER PLAN
  • RISK TOLERANCE
  • EQUIPMENT LIFE CYCLES
  • OPERATIONAL REQUIREMENTS
  • CRISIS MANAGEMENT
  • BUSINESS CONTINUITY
  • DISASTER RECOVERY PLANS
  • ORGANISATION SPECIFIC INFORMATION
  • FOUNDATION FACTORS

Budget Flexibility

The ability to flex a security budget based on changing business needs and threat conditions is an aspiration that most business executives would desire.

However, any decision made without a deep understanding of the “foundation factors” is, in effect, guesswork. It may be an educated guess but if a justification was ever required and the rationale for removing a particular security measure couldn’t be directly aligned to either the security threat environment, the security risk exposure, a change in the risk tolerance or a change of a business’s operational requirements, the chances are that the decision will be difficult to justify.

The same applies to the submission of a capital expenditure request that doesn’t have the same foundation factors in place. A strong business case with well-researched and communicated foundation factors will stand a much better chance of securing funding.

So, ‘How does your organisation decide how much money to spend on security’?

The answer to this question should be closely aligned with the ‘foundation factors’ of your organisation. How much is necessary to protect your organisation from the prevailing security threats, allowing it to prosper and develop in line with its business plan? In determining just ‘how much is necessary’, executive leaders must factor in the business’s risk capacity and ensure that their risk tolerance is aligned with the security strategy and operational requirements”.

How to decide how much money to spend on security?

The next time you are thinking of your organisation’s financial plan, use a ‘zero-based’ approach to align your security budget with your precise business needs in the context of your own businesses culture.

Although some research will likely be necessary, the insight you will gain will make your decision making much quicker and more accurate, and the business case you produce will be that much more compelling. There is no magic formula or algorithm that can produce a definitive answer but by using this tried and tested process the result will be based on your organisations unique criteria and will be an informed procedure that will stand up to any scrutiny.

For more information on Security Budgeting as well as a range of other Security Consultancy services please contact us via telephone or our website.

CornerStone GRG Ltd
8 City Road
London, EC1Y 2AA
tel: 020 3405 4956
www.cornerstonegrg.co.uk




Disclaimer

The contents of this document are provided on an “as is” basis. No representation or warranty (either express or implied) is made as to the completeness, accuracy or reliability of the contents of this document. Advice given and recommendations made do not constitute an assurance against risk or a warranty of future results by CornerStone GRG Ltd.

Intellectual Property and Copyright

This document includes registered and unregistered trademarks. Any trademarks displayed are the trademarks of their respective owners. Your use of this document does not constitute or create a license or any other right to use the name and/or trademark and/or label. This document is subject to copyright owned by CornerStone GRG Ltd. You agree not to copy, communicate to the public, adapt, distribute, transfer, sell, modify or publish any contents of this document without the express prior written consent of CornerStone GRG Ltd.