Author: Rick McElroy, Security Strategist, Carbon Black
In my previous blog, I highlighted the importance of CEOs understanding risk management by being able to confidently answer the question, ”How are we managing risk and what’s the structure of the team in-charge?”
The second question we’ll tackle is on budget. This is a critical part of any business strategy and the questions CEOs should consider are: “What percentage of the budget is security? Are we funded and staffed sufficiently? What’s the budget growth or decrease year over year?”
The answers should clarify the cost of your organization’s IT security and if this is commensurate with the risk of your organization. It will also allow you to analyse the difference in your security investments over the years.
As a CEO, it is not necessary for you to know WHAT technology you are buying to manage risk (i.e. Carbon Black or McAfee), but you should have knowledge of the RIGHT capabilities and controls required to achieve an acceptable risk level.
The risk acceptance level of each organization will vary based on a number of factors. One factor is the purchase of security controls. These can be technical or administrative safeguards that are implemented to avoid, counteract or minimize loss or unavailability of valuable data caused by threats. As the threat landscape continues to evolve, there is an increasing diversity of security controls available today. Often times, organizations purchase controls for threats without appropriately assessing their risks. This results in redundant purchases that strains security budgets.
Remember, from your perspective, the technology doesn’t matter. What does matter is the ability to staff appropriately and invest in the RIGHT capabilities that will collectively help to achieve the risk goals you have set.
This conversation will allow you to better understand the existing talent gap and identify areas for skills improvement to build a robust and sustainable team that can keep up with the rapidly-evolving risk landscape. Human resources are only valuable if they hold adequate skills to help you achieve the Commander’s Intent you set forth in the beginning.
The final area you should comprehend is how the security program relates to the business. As a general rule, if the business is growing, your investments in security should, too. The larger your business is, the bigger a target you become. Your security program should be malleable enough to align with the business performance, whether it grows, declines or changes strategy. Having this conversation on a regular basis will ensure your IT security budget is accurately sized for your organization, no matter the performance.
Security is never free. It is an investment that can secure the success of your business, but only if the right amount of money is being spent at the right time. Managing your IT budget regularly will also help you speak to your board members when the questions come and with the increased global focus on data privacy regulations, they will be coming soon if they haven’t already.