Cyber Budgeting is a good subject to tip with as most in the corporate world are squeezed for money flows budget or are with no budget at all.
Well the need for cyber budgeting or the lack of it stems from how an organisation or industry or a country or the world at large view cyber security. To my mind, cyber security at any level is either viewed as a prefix to information technology / operating environment or as a post fix. The odds are stacked mostly in favour of post fix and there lies the problem of cyber budgeting.
In a post fix oriented organisation, it is only after some breach or compromise happens, the need for cyber security is felt. That too mostly the feeling is temporary till it is gotten over. In such cases, there is hardly any provision for cyber security budgeting. Or maybe it is hidden under the carpet of IT budgeting.
Is there a rationale behind this approach? The answer is a “Yes”, only if one agrees to live in the world of complacency based on past history of no known cyber-attacks. Unfortunately this is what we see in most organisations. Cyber budgeting and cyber security in such cases are good talk time - words spoken off but neither heard or implemented.
On the better side, in a prefix oriented organisation, the cyber budgeting exercise stems out of a well laid down cyber security plan. The cyber budget is micro scoped to the - may I say -to the desk level of each employee in terms of ‘Dollar Value’ that will be required to secure the desk environment. And macro sized by aggregation and extrapolation to the organisation wide level. The beauty of this end product - which is the “Cyber Budget” is that, it is based on the cyber security risks perceived at various levels in the organisation and based on age old adage ‘The wearer knows where the shoe pinches’ both in terms of risk and dollars. With this approach everyone is aware of the trade off if any between the cyber budget required and actually provided.
In an organisation that considers cyber security as a prefix to any functionality be it network or application or infrastructure or human resources ,the cyber budget operates under its own umbrella to counter any rain of cyber-attacks. The cyber budgets there are not a fixed dollar amount but an open well into which time, resources and efforts are pumped into, in an effort to keep hackers at bay at all times. Sounds like an ideal situation - far removed from reality - but perhaps that is the need of the hour with information and data glut all around.
In such organisations where cyber security is a prefix ,the cyber budgets are created with focus on preventing an attack, if prevention fails, detect it and having detected it, correct it at the earliest. The cyber budgeting in such cases merges with the much talked about defence in depth approach in Cyber Security. In such organisations, there is no such thing as ‘We will cross the river when it comes’ and as such in the Cyber Budgets there are built in contingencies amounts readily available.
Net - Net for such organisations when it comes to budgeting, cyber security ranks shoulder to shoulder with the key raw material !
The budget makers are well versed with the ‘no if’s and no but’s of’ of Cyber Security. The budget makers may be proactive and consider cyber budgets as an ‘investment Budget’ and not an ‘Expenditure budget’. A ‘Investment Budget’ comes with a clear vision that such investments will not only protect the dollar revenues, but will also swell it over the years as the tools and controls built out of those proactive budgets have had and will always have long term impact.
While we may be far away from the ideal situation that ought to be when it comes to ‘Cyber Budgeting- Concept, Meaning and Approach’ but being a security professional community and considering the current cyber world, we strongly believe a paradigm shift towards the ideal situation is very soon in the offing.
Want to conclude with a note of caution,
Cyber security Tools, Processes and Technologies are not good or bad, it is how it is put to use is what really counts whether backed by the requisite budget or not.