2021 infosec budget

Are you responsible for your organisation's information security or cybersecurity budget? Are you busily putting the finishing touches to your 2021 budget request, still working on it, just thinking about it, or planning to do it, honestly, when you next come up for breath?

Budgeting is generally a dreaded, stressful management task. Not only do we have to figure out the figures but we typically anticipate a tough battle ahead leading (probably) to a disappointing outcome and yet more problems.

On top of that, 2020 has been an exceptional year thanks to COVID. The business and information security implications of knowledge workers suddenly working from home, en masse, are still playing out now, while the economic impacts of COVID do not bode well for any of next year's budgets except perhaps for the manufacture of vaccines, masks, gloves, sanitiser and respirators.

A substantial part of information security expenditure is (whatever we may believe as professionals) discretionary. The decision to go for ISO/IEC 27001 certification, for instance, flows largely from management's appreciation of the business value of investing in information risk and security management good practices. There may be specific drivers such as incidents, compliance pressures or demands from business owners, partners and prospective customers, but even then there are numerous options and factors to consider such as:

• The objectives for the Information Security Management System - what it is expected to achieve;
• How broadly or narrowly to scope the ISMS;
• At what pace to implement the standard, and how precisely;
• What resources to assign to the implementation, not least a suitable implementation project manager/consultant and project team;
• Priorities for this work relative to other business activities, objectives and requirements, making adjustments as necessary (both initially and as the project proceeds when stuff comes up - as COVID did, for instance);
• Alignment with other corporate projects and initiatives e.g. exploiting strategic opportunities to update various systems, policies and processes for security and other reasons, at the same time;
• Change management aspects: does the organisation have the capacity and appetite first to adopt and assimilate the ISMS, and secondly to get the most out of it; 
• Project risks e.g. the possibility that things probably will not go entirely to plan, hence the need for dynamic responses and contingency funds.

Identifying and addressing all that, and more, means a shed-load of work for management at this time of year. Not only must cunning plans be developed, they must be 'sold' to the organisation - particularly senior managers responsible for the big decisions about strategies, budgets, resourcing etc. but also the managers of other corporate departments/functions who are all, in effect, competing for slices of the same pie.

An important preliminary step, then, is to convince senior management that a 'management system' or 'governance framework' for information risk and security is more than just a matter of best practices or compliance. It gives managers the information and levers necessary to direct, guide and monitor information security, supporting and enabling the achievement of business objectives. 

With that established, it is worth exploring the additional business value of certification. An ISO27001 compliance certificate from an accredited and respected certification body is like a stamp of approval ... but there's more to it. Consider our business case for an ISMS for strong clues about how to persuade management that implementation makes sense for the business. Taking it all into account, the benefits are overwhelming. You'd be nuts not to at least explore the possibility as part of your proposals for 2021.