nnWhether you follow the calendar year or the tax year, budgeting andnfinancials are the bane of most cyber leader’s lives. With a bit ofnstructure and best practice, they don’t have to be.nn
nnn
nnn
nnn
nnOrganizations’ financial years start on a variety of different dates. Somenfollow the calendar year and begin on January 1 (probably not a decision thenCFO made, as it means year-end is over the December holiday period!), and innthe U.K. the tax year begins on 6 April and many organizations align withnthat. Whenever your financial cut-off is, you’ll spend much of the precedingnsix months thinking about your budget for the coming period.n
nnIn its theoretical, basic form, budgeting is really easy: think what younneed to do, how many staff you need, what new kit you need to buy, whatnhistorical recurring costs you need to account for, add up some numbers,ndone. Oh, if it were really that simple in real life!n
nn
nThe First Rule of Budgeting
nn
nnStart by getting an idea of what the target number is. There’s really nonpoint punting for $10million if the reality is that $2million is what’snaffordable – all you’ll do is waste everyone’s time. Once you have yourntarget, though, don’t take it as gospel – aim high and never, ever come innbelow it. If you put in a budget that adds up to more than the target,nthere’s always the potential to trim things from it if asked; if you go innbelow the target, though, the CFO will never say: “You’re a bit short, isnthere anything you’d like to add?”n
nn
nCapEx or OpEx?n
nnNext, understand the organization’s preferred approach to accounting forntechnology and cyber spend. Some like the model of accounting for spendingnin the year it takes place (the “operational expenditure”, or “OpEx” model)nwhile others like to account for spend on capital items (IT hardware, vans …nassets with a tangible value, basically) by depreciating them over a numbernof years. So, if you spend $100,000 on server kit in the OpEx model, that’sna $100,000 hit in the year in which the purchase was made. In the CapExnmodel, though, if you consider a server as having a five-year lifetimenthat’s $1,666.67 per month for the next 60 months.n
nnTo this point, have in mind the importance of each item on the list – whichnmeans be aware of what you’re willing to knock off if you have to, and innwhat order. Also, “importance” is not some vague concept that relies merelynon your opinion of what’s essential and what isn’t: in many casesncybersecurity systems exist because if they didn’t, the company would benfailing to comply with internal policies, regulators’ requirements or evennthe law. If taking something out of the budget would cause legal ornregulatory issues then they fit firmly into the “non-negotiable” category;nand if the problem is one of internal compliance, then at the very least younneed to point out to the bean-counters that you can only cross it off if thensenior management team agree to a waiver for that policy breach.n
nn
nThe Value of Peoplen
nnA tangible chunk of your budget will relate to people – employees andncontractors. The rule of thumb here is: try your absolute darndest not tonreduce your employee headcount, even if pestered to do so. “If you can donwithout this role next year, we’ll reintroduce it the following year” isnsometimes a misguided statement but most commonly a bare-faced lie – becausenin 12 months’ time the line you hear is: “Well, you did okay without it thisnyear, so why do you need it next year?”. Particularly in Europe, laying offnemployees is a non-trivial and often expensive thing to do anyway, so try tonhang onto them.n
nnNext, add in the things that you can’t avoid paying for. The first isnongoing costs that you’ve contractually signed up for – if you’re in yearntwo of a three-year maintenance agreement for your firewalls, or for yournanti-malware software, they need to go in. The second item in this categorynis the stuff you bought using the CapEx model discussed earlier. The upsidenof this model is that it reduces the theoretical in-year spend, while thendownside is that you must include the cost for every year of itsndepreciation; many a CTO, CIO or CISO has been bitten budget-wise by thendepreciation costs of what their predecessors bought a few years back.n
nn
nNice to Have Itemsn
nnOnce all the above is done, you can put in the rest – the “discretionary”nitems, one might say. For each one, think hard before including it: thenworld is full of cybersecurity software and systems that cost loads butnaren’t really being used to anything like their full capability. If youndecide to include something, do so only if you’re convinced that you will benable to get value from it; it might be better to spend that money onnsomething else instead. Be ruthless with things that you already have: ifnthere’s something you’re not really using and you’re not stuck with anlong-term license or an ongoing depreciation cost, why not consider gettingnrid of it? You’ll save the organization money, you’ll save yourself (andnprobably the CIO/CTO team) time and effort, and it’ll do no harm at thenbudget meeting because you’ll be seen as being prudent and considerate withncompany funds.n
nnAnd finally, we come to that budget meeting we just mentioned. Approach itnlike a grown-up, and don’t be petulant or unreasonable if there’s anchallenge to some of what you’ve put in there. It’s the senior managementnteam’s job to ensure that the organization’s money is spent rationally andnresponsibly, and they wouldn’t be doing their job if they simply waved itnthrough without question. Each of the items in your budget should be therenbecause you can justify it – so justify it! And if you’re asked if thenorganization can live without a particular item, try to take the approach ofn“Yes, if” rather than “No, because”. If they’re trying to drop somethingnmandatory (the second year of a three-year anti-malware license with nonescape clause, for instance) then of course the answer is a flat “No,nbecause”; but if you could live without something then take the attitude:n“Yes, we can do without X so long as we do Y and Z instead” – where Y and Znare cheaper, of course!n
nn
nCybersecurity Budgeting Need Not be Complexn
nnYou don’t need a degree in accountancy to build and run a cyber budget.nQuite frankly, the only difference between a $500,000 budget and a $5millionnbudget is an extra zero (so don’t be scared – they’re just numbers). So benprudent and logical and you’ll be surprised how easy it is.n
nnBut bear one thing in mind. Just as the late U.K. Prime Minster HaroldnWilson is quoted (some think wrongly) as saying that a week is a long timenin politics, a year is an even longer time in budgeting. The budget younagree at the beginning of the year is merely a number decided at a point inntime. Who knows what events might come in unexpectedly from left fieldnbetween now and the end of the financial year? No matter how big yournmetaphorical crystal ball, there is every chance that you will need to spendnmoney you weren’t expecting to spend, or to be asked to tighten the pursenstrings because of some unforeseen financial catastrophe (COVID-19, forninstance). So don’t just be pragmatic during the budget process; be equallynpragmatic throughout the year.n
n- n
- n Learn more about dealing with Budget and Talent Shortfalls with ourn n online training course.n n
- n The latest ISC2 Cybersecurity Workforce Study takes a closer look at globaln IT budgets and the pressures on them.n n Find out more here.n n n