As 2018 draws to a close, IT and security pros around the country will greet the arrival of budget season with a collective sigh. Negotiating for IT budgets at small or mid-market companies is always a challenge and can be especially difficult if you’re asking for increased security spending from an executive who doesn’t understand the risks of being unprepared for a data breach. However, security budgets are changing rapidly as awareness of security issues among SMBs grows and IT becomes much more complex.
Security spend at SMBs and mid-market companies will increase in 2019 and shift to better protect new hybrid and virtualized networks, secure passwords and improve detection and response times. There are also many tricks to building a good relationship with your organization’s financial decision-maker to help get your security budget requests approved. Let’s discuss both of these areas in more detail.
According to data by 451 Research, 80% of IT practitioners planned to increase their security budget in 2018 with an average increase of 17%. I believe we will see this trend continue in 2019 and be especially prominent at small and mid-market organizations. One of the major contributing factors here is the impact of ransomware on SMBs. A survey from Datto show as many as 84 percent of surveyed managed service providers had an SMB client who’d been hit with ransomware from Q2 2016 to Q2 2017. Security is still often viewed as a cost, but the risk of ransomware and recent data breaches have convinced many decision-makers that it is a cost worth paying.
At the same time, as organizations move more services to the cloud and explore software defined networks and IoT device deployments, the traditional approach of protecting the network perimeter starts to change. This means more budget will shift away from security hardware to application security and virtual versions of security products, as well as solutions that can protect IoT devices.
We’ll see more focus on “in-out security” as IT worries more about insiders accidentally leaking information or losing passwords than outsiders breaking through the security perimeter. I believe multi-factor authentication will see an increased share of budget this year as more companies catch onto the weaknesses of passwords. The high cost of recovery from data breaches (60 percent of SMBs hit with a major breach go out of business within six months) will also lead to more spend allocated to detection and remediation solutions.
Working against “the fight to secure the business” is the fact that IT has become much more complex in the last five to eight years, especially for mid-sized and smaller companies where IT pros often have blended roles. Factors like the use of the cloud, a mobile workforce, SaaS applications and more devices per employee to secure are making it harder for IT to secure its environment. There can also be less security understanding at the executive level at mid-market companies, and that makes budget negotiations much more difficult.
Here’s my advice for overcoming unawareness or reluctance in these budget discussions, and for getting security requests approved:
Involve your CFO or comptroller in your planning process long before the negotiations actually start. Build that relationship with them by educating them on how each piece of security technology works and how it reduces risk. For example, instead of talking about the security budget from a general standpoint, breakdown the budget into subcategories like prevention, detection, response and recovery and explain each one.
Meet regularly with your CFO or comptroller to update them on the status of your network environment and let them know what will need replacing or upgrading and when. This applies to both overall IT budgets and specific budgets for security (if those are separate in your organization). If you’re working on adding some IoT devices to your network, for instance, explain early in the project that those devices will require extra security precautions and changes to the network structure once the project is complete. None of your budget requests should come as a surprise!
Always explain why each expense is necessary and how it contributes to the company’s overall security. For example, if you want to implement a multi-factor authentication solution, share some statistics on the number of data breaches that are caused by poor passwords and list the customer data at your organization that would be at risk if you were breached.
If your organization has a CISO, then the CIO or director of IT should partner with them to present their proposed security budget to the rest of the executives.
Begin budget meetings by briefly explaining your roadmap for the next several years and discussing the state of your organization’s security, including what you do well and what you can to improve. This gives your CFO or comptroller valuable context. You might say, “Currently we are spending 80% of our security budget on prevention, but it takes 190 days on average for companies to figure out they’ve been breached. Having good detection and response can reduce that. I want to focus on detection and response next year, then try to improve recovery the year after that.”
The good news is that there is hard data to help you make your case for an increased security budget in 2019. The 2017 Verizon Data Breach Investigations Report found that over 80 percent of hacking related breaches were caused by weak or stolen passwords. That’s good ammo to prove to your CFO why you need a multi-factor authentication solution this year! Research from Ponemon shows that a data breach costs $141 per person worldwide and $225 per person in the U.S.
The time and cost to recover from a breach is often underestimated – a data breach can mean dozens, or hundreds of man-hours taken away from work that improves the business. These are just a few examples of the type of supporting details you should incorporate in budget conversations around security spend.
The silver lining to all the doom and gloom around data breaches these past few years is that they help raise awareness about the importance of information security and capture the attention of people who don’t normally follow these issues. Approaching budget negotiations as a long-term relationship building and educational process with your executive team will dramatically increase the chances of your budget being approved, and your organization becoming more safe and secure.