How To Do Cyber Budgeting

Whether you follow the calendar year or the tax year, budgeting and financials are the bane of most cyber leader’s lives. With a bit of structure and best practice, they don’t have to be.

Organizations’ financial years start on a variety of different dates. Some follow the calendar year and begin on January 1 (probably not a decision the CFO made, as it means year-end is over the December holiday period!), and in the U.K. the tax year begins on 6 April and many organizations align with that. Whenever your financial cut-off is, you’ll spend much of the preceding six months thinking about your budget for the coming period.

In its theoretical, basic form, budgeting is really easy: think what you need to do, how many staff you need, what new kit you need to buy, what historical recurring costs you need to account for, add up some numbers, done. Oh, if it were really that simple in real life!

The First Rule of Budgeting

Start by getting an idea of what the target number is. There’s really no point punting for $10million if the reality is that $2million is what’s affordable – all you’ll do is waste everyone’s time. Once you have your target, though, don’t take it as gospel – aim high and never, ever come in below it. If you put in a budget that adds up to more than the target, there’s always the potential to trim things from it if asked; if you go in below the target, though, the CFO will never say: “You’re a bit short, is there anything you’d like to add?”

CapEx or OpEx?

Next, understand the organization’s preferred approach to accounting for technology and cyber spend. Some like the model of accounting for spending in the year it takes place (the “operational expenditure”, or “OpEx” model) while others like to account for spend on capital items (IT hardware, vans … assets with a tangible value, basically) by depreciating them over a number of years. So, if you spend $100,000 on server kit in the OpEx model, that’s a $100,000 hit in the year in which the purchase was made. In the CapEx model, though, if you consider a server as having a five-year lifetime that’s $1,666.67 per month for the next 60 months.

To this point, have in mind the importance of each item on the list – which means be aware of what you’re willing to knock off if you have to, and in what order. Also, “importance” is not some vague concept that relies merely on your opinion of what’s essential and what isn’t: in many cases cybersecurity systems exist because if they didn’t, the company would be failing to comply with internal policies, regulators’ requirements or even the law. If taking something out of the budget would cause legal or regulatory issues then they fit firmly into the “non-negotiable” category; and if the problem is one of internal compliance, then at the very least you need to point out to the bean-counters that you can only cross it off if the senior management team agree to a waiver for that policy breach.

The Value of People

A tangible chunk of your budget will relate to people – employees and contractors. The rule of thumb here is: try your absolute darndest not to reduce your employee headcount, even if pestered to do so. “If you can do without this role next year, we’ll reintroduce it the following year” is sometimes a misguided statement but most commonly a bare-faced lie – because in 12 months’ time the line you hear is: “Well, you did okay without it this year, so why do you need it next year?”. Particularly in Europe, laying off employees is a non-trivial and often expensive thing to do anyway, so try to hang onto them.

Next, add in the things that you can’t avoid paying for. The first is ongoing costs that you’ve contractually signed up for – if you’re in year two of a three-year maintenance agreement for your firewalls, or for your anti-malware software, they need to go in. The second item in this category is the stuff you bought using the CapEx model discussed earlier. The upside of this model is that it reduces the theoretical in-year spend, while the downside is that you must include the cost for every year of its depreciation; many a CTO, CIO or CISO has been bitten budget-wise by the depreciation costs of what their predecessors bought a few years back.

Nice to Have Items

Once all the above is done, you can put in the rest – the “discretionary” items, one might say. For each one, think hard before including it: the world is full of cybersecurity software and systems that cost loads but aren’t really being used to anything like their full capability. If you decide to include something, do so only if you’re convinced that you will be able to get value from it; it might be better to spend that money on something else instead. Be ruthless with things that you already have: if there’s something you’re not really using and you’re not stuck with a long-term license or an ongoing depreciation cost, why not consider getting rid of it? You’ll save the organization money, you’ll save yourself (and probably the CIO/CTO team) time and effort, and it’ll do no harm at the budget meeting because you’ll be seen as being prudent and considerate with company funds.

And finally, we come to that budget meeting we just mentioned. Approach it like a grown-up, and don’t be petulant or unreasonable if there’s a challenge to some of what you’ve put in there. It’s the senior management team’s job to ensure that the organization’s money is spent rationally and responsibly, and they wouldn’t be doing their job if they simply waved it through without question. Each of the items in your budget should be there because you can justify it – so justify it! And if you’re asked if the organization can live without a particular item, try to take the approach of “Yes, if” rather than “No, because”. If they’re trying to drop something mandatory (the second year of a three-year anti-malware license with no escape clause, for instance) then of course the answer is a flat “No, because”; but if you could live without something then take the attitude: “Yes, we can do without X so long as we do Y and Z instead” – where Y and Z are cheaper, of course!

Cybersecurity Budgeting Need Not be Complex

You don’t need a degree in accountancy to build and run a cyber budget. Quite frankly, the only difference between a $500,000 budget and a $5million budget is an extra zero (so don’t be scared – they’re just numbers). So be prudent and logical and you’ll be surprised how easy it is.

But bear one thing in mind. Just as the late U.K. Prime Minster Harold Wilson is quoted (some think wrongly) as saying that a week is a long time in politics, a year is an even longer time in budgeting. The budget you agree at the beginning of the year is merely a number decided at a point in time. Who knows what events might come in unexpectedly from left field between now and the end of the financial year? No matter how big your metaphorical crystal ball, there is every chance that you will need to spend money you weren’t expecting to spend, or to be asked to tighten the purse strings because of some unforeseen financial catastrophe (COVID-19, for instance). So don’t just be pragmatic during the budget process; be equally pragmatic throughout the year.

• Learn more about dealing with Budget and Talent Shortfalls with our online training course.
• The latest ISC2 Cybersecurity Workforce Study takes a closer look at global IT budgets and the pressures on them. Find out more here.