What To Consider When Security Budget Planning

Sign up to receive our blog posts in your inbox.
 

As budget time comes around it is important for the security executive to keep top of mind, that budget planning is more than Capital expenditures (CAPEX) and Operating expenses (OPEX).  Security budget planning should also be tied to the enterprise security strategy plan and its protection short- and long-term goals. Because no one gets a blank check for security.  It may be helpful to think about reaching protection goals by creating milestones or steps which will ultimately accomplish the goals.  The milestones can usually be divided into two categories which management can better understand and which building an effective business case can clearly articulate the business value of the security initiatives.

The two categories are Preventive and Reactive security services. 

  • Preventive Security Initiates are security initiatives designed as precautionary. For example; 
    • Workplace violence prevention and training, 
    • Active shooter planning and drills, 
    • Threat management team configuration,
    • Critical Incident Management and Business Continuity planning and exercise
    • Physical Security design – to deter, prevent and respond to unauthorized access   
  • Reactive Security Initiates are security initiatives designed to react or respond to some event. For example; 
    • Workplace violence and active shooter response to incident
    • Investigations for possible corporate policy or criminal violations  
    • Kidnapping and Ransom events 
    • Man-made or natural adverse events that impact employees, facilities and impact the business 

Next step is associating security spend for your preventive and reactive security programs in your business cases for the security budget. The security business case is a crucial because it is the bridge between technical security verbiage for the security skilled and clarified business value for executive decision makers.

Without a compelling security business cases, the security initiatives may be doomed to be undervalued by executives and subsequently fail. However, if you can nail the business case, you can consistently build a security program perfectly aligned to the business’s most important objectives.

The following is a format which you may wish to consider for your business cases: 

•    Executive Problem Statement: Why is matters and what is the negative impact to the company if this item is not addressed? 

•    What are you asking management: It is very important to be clear and unambiguous about what you are asking from management and by when – assuming there is a time sensitivity to the issue. 

•    Expected Benefits: Explain what the positive outcome management can expect. 

In most organizations, especially larger ones with many employees and a national or global footprint, senior leaders do not have a view into real-time security status, therefore, it is difficult for some to see the benefits of changing a process to produce a better future security posture.  

The following security business gap analysis helps explain the current status, future status, cost benefit and ROI.   The below example is a common way to depict your business case in a PPTX format if that is what is more common in your organization.  
 

Security Business Gap Analysis 

Current Security Gaps Future Security Posture
Bullet form - specific, direct in explaining, and outlining the security gap that is the root cause of the issue. Be professional and do not place blame on any person or group. It is important to understand that management may want to explore how this happened, however, this can result in your request for improvement to get bogged down with an unnecessary blame game.  Your future state bullets should mirror the gaps in sequence and reflect how they will address the gaps.  Ensure you have supporting material and research in the event management requests to see evidence of your assertions. 

 

Cost & Cost Avoidance vs. Benefit Analysis

Costs Return on Investment (ROI)

Costs: Include ALL costs, be sensible and upfront about all costs. If needed, include an addendum reflecting an executive summary.  Verify your numbers with your cross-business partners. No surprises!

Cost Avoidance: As with many preventive security programs, it may be difficult to quantify the ROI for a program that prevented a security breach. You may wish to research the avg case costs $ x thousands or millions in damages – if it can be shown the company failed to act by putting in place security preventive measures to protect its employees from a possible and high probability security event. 

ROI is calculated by subtracting the initial value of the investment from the final value of the investment (which equals the net return), then dividing this new number (the net return) by the cost of the investment, and, finally, multiplying it by 100.  When you are clear on the cost and cost avoidance - the value of your request should reflect the benefits in terms of ROI.

 

Benefits
Most security projects, the benefits should be outlined in terms of cost savings (time and money), support of revenue generation, or better risk management posture. Ensure that the benefits solve the security gap executive problem statement.

 

 

•    Socialize the Business Case with your stakeholder 
•    Present the business case with your stakeholders, if possible to senior leadership

Present to management & obtain a commitment of next steps and timelines. 
If senior leaders need more to consider, there is a chance you will lose valuable time and your stakeholders may lose interest in supporting the security project(s).  It is important to professionally keep the topic top of mind, ask, and drilldown on what additional information the senior leaders need to make a decision.   It’s always a good idea to create next steps at the end of any meeting, especially one where you have made a security business case.  As a security leader, it’s also important to realize when senior leadership has decided not to decide.  In these instances, it is important to be self-aware and cognizant of your overall security strategy and make decisions about which battels to continue to fight and which to leave for another day

The aforementioned approach and steps are common in most business cases; therefore, it is important that as a security executive we are able to utilize the format used by other business executives seeking to have management spend capital on initiatives.  The security business case, can help you build a security program aligned to the business’s most important objectives.  Showing the security gap, future state to correct the gap, return on security spend / cost avoidance, is a solid approach to move your security program and budget forward.  Good luck

Art Fierro

Art Fierro, CISM, CPP
Vice President, Investigations Practice
Allied Universal® Risk Advisory and Consulting Services
Art.Fierro@aus.com

Art F. Fierro has over 30 years of experience in corporate and government (FBI) global security. Art joined Allied Universal after having held CSO and executive corporate security leadership positions in various global multinational corporations.   Art leads Allied’s global investigation practice consisting a of strong bench of experienced global investigators. Art holds a Bachelor of Science degree in Criminal Justice from the University of El Paso. He is a Certified Information Security Manager (CISM), and a Certified Protection Professional (CPP).