Budge-IT - WST

It’s October and for many that means it is budget time. Or, did you assume it will just be a part of IT’s budget? According to the FFIEC Cybersecurity Assessment Tool, a “baseline” requirement indicates: “The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20).” So be ready to budge – IT and allocate appropriate resources for 2021.

Whether you’ve already submitted your 2021 budget or not, you might consider the following items. It may help your planning for 2021, or you may find need to go back to your CFO and plead for mercy…

An Information security budget should include items such as:

• Independent assessments, tests and audits (e.g., penetration tests, social engineering, vulnerability assessments, etc.)
• Software licenses for security-related systems (e.g., SIEM system, IPS/IDS systems, web content filters, firewalls, email security appliances, encryption, antivirus, scanners, etc.)
• Hardware – for leases or for planned upgrades/implementations. Include firewalls, servers, security appliances, and any other system that relates to the security infrastructure.
• Security Certificates and registrations (for websites, domain registrations, security appliances, etc.)
• Training and Conferences related to information security (incl. travel expenses)
• Misc. Services – Forensic examiner retainer, monitoring services, technical consultants, etc.

To keep pace with emerging threats and regulations, Information Security Programs need to continually grow skills and response capabilities. Be sure to factor in the expected annual price increases, product upgrade charges, etc. (include a “fudge factor,” in case prices come in more than expected you can still look good at year-end). Also, remember to factor in additional human resources needed to manage the expanding demands.

Some other budget planning suggestions:

• Keep a “next year” planning worksheet and update it throughout the year, adding in reminders to include improvements that you’ve noted during the current budget period.
• Keep a shortcut to your planning worksheet on your computer’s desktop, so you can easily find and modify it as you think of things throughout the year.
• Keep track of “actual” compared to “budgeted” expenses as the year progresses, to help in fine-tuning your estimates for next year’s budget.
• Notate what budget items are “must have” (such as IPS/IDS, firewalls, log management systems, testing, etc.) and what are “should have” – In case of budget cuts OR if the budget fairy gives you an unexpected allowance to improve your security posture. Either way, you will have ready answers.