Cybersecurity Wishes and Dreams: A policy to fix a lot of broken security programs.

In an era where cybersecurity threats are constantly evolving and becoming more sophisticated, organizations within (does not reflect any current or past employers’ positions thus“THIS INDUSTRY” must prioritize the protection of their digital assets. A robust policy framework mandating a minimum spend of (for example) 7% of the total IT budget on cybersecurity is not just a prudent measure but a critical necessity. This allocation, specifically dedicated to people, processes, and technology, is essential for enhancing the security posture of these organizations.

The importance of such a policy cannot be overstated. By ensuring that a substantial portion of the IT budget is strictly used for security controls rather than being diverted to general IT maintenance activities, organizations can build a resilient defense against cyber threats. This proactive investment in cybersecurity will significantly impact the industry, driving a culture of security awareness and preparedness that can mitigate risks and protect sensitive data.

Implementing this policy will also have broader implications for national resilience. As organizations within THIS INDUSTRY strengthen their cybersecurity defenses, they contribute to the overall security infrastructure of the nation. A well-protected industry not only safeguards its own operations but also supports the stability and security of the national economy and critical services.

The policy framework detailed below provides a comprehensive approach to ensuring that organizations within THIS INDUSTRY allocate the necessary resources to cybersecurity, thus enhancing their security posture and contributing to national resilience.

The percentage of IT budget allocated to cybersecurity varies significantly by industry, reflecting differing levels of risk, regulatory requirements, and organizational priorities. Below is a general overview of cybersecurity spending as a percentage of total IT spending across various industries (sources are a mixture of industry reports, Gartner, Forrester, vendors, etc):

General Percentages of Security Spend to IT Spend by THIS INDUSTRY

  1. Financial Services
    • Range: 10% – 15%
    • Rationale: High regulatory requirements and significant risks due to the sensitive nature of financial data.
  2. Healthcare
    • Range: 6% – 12%
    • Rationale: Increasing regulatory demands (e.g., HIPAA) and the need to protect sensitive patient data.
  3. Government
    • Range: 8% – 12%
    • Rationale: High focus on national security and the protection of citizen data, often driven by regulatory mandates.
  4. Retail
    • Range: 5% – 10%
    • Rationale: Growing importance due to e-commerce, payment card industry standards (PCI DSS), and protecting customer data.
  5. Energy and Utilities
    • Range: 6% – 10%
    • Rationale: Critical infrastructure protection and compliance with regulations such as NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection).
  6. Technology and Telecommunications
    • Range: 7% – 12%
    • Rationale: High dependency on technology and the need to safeguard vast amounts of data and intellectual property.
  7. Manufacturing
    • Range: 4% – 8%
    • Rationale: Focus on protecting industrial control systems (ICS) and supply chain security, though traditionally lower than other sectors.
  8. Education
    • Range: 3% – 6%
    • Rationale: Lower budgets but increasing focus on protecting student and research data.
  9. Hospitality
    • Range: 4% – 8%
    • Rationale: Protecting guest information and payment data, with growing emphasis due to frequent data breaches.
  10. Transportation
    • Range: 5% – 9%
    • Rationale: Protecting operational systems and customer data, with increasing cybersecurity threats in recent years.

Factors Influencing Cybersecurity Spending

  • Regulatory Requirements: Industries with stringent regulatory requirements tend to allocate a higher percentage of their IT budgets to cybersecurity.
  • Risk Exposure: Sectors that handle sensitive data or are critical to national infrastructure generally invest more in cybersecurity.
  • Incident History: Industries that have experienced significant breaches may increase their spending in response to these incidents.
  • Technology Dependency: Organizations highly dependent on technology and digital operations often prioritize cybersecurity investments.

While these percentages provide a general guideline, individual organizations within each industry may vary based on specific risk assessments, regulatory environments, and strategic priorities. Increasingly, organizations are recognizing the critical importance of cybersecurity and adjusting their budgets accordingly to mitigate risks and protect their digital assets.

The Cybersecurity non-discretionary minimum spending policy

Creating a robust policy framework that mandates organizations within THIS INDUSTRY to allocate a minimum of (example) 7% of their IT budget to cybersecurity, focusing on people, processes, and technology, is critical for enhancing the security posture of these organizations. This policy should ensure that the allocated budget is strictly used for security controls and not diverted to general IT maintenance activities. Here’s a comprehensive policy framework:

1. Policy Purpose and Objectives

1.1 Purpose

To establish a policy that mandates a minimum spend of 7% of the total IT budget on cybersecurity, specifically dedicated to people, processes, and technology, and to ensure that this budget is managed and utilized effectively by the Chief Information Security Officer (CISO).

1.2 Objectives

  • Ensure adequate investment in cybersecurity resources and capabilities.
  • Enhance the organization’s security posture.
  • Clarify the distinction between cybersecurity and general IT maintenance spending.
  • Establish accountability and transparency in cybersecurity budgeting and spending.

2. Scope and Applicability

2.1 Scope

This policy applies to all organizations within THIS INDUSTRY and encompasses all departments and personnel involved in cybersecurity and IT management.

2.2 Applicability

All budgetary decisions, financial planning, and audits related to IT and cybersecurity spending within the organization.

3. Budget Allocation Requirements

3.1 Minimum Spend Requirement

  • Organizations must allocate at least 7% of their total annual IT budget to cybersecurity, covering investments in people, processes, and technology.
  • The IT budget includes IT spending regardless of where it is located within the company or whether it is portfolio or project-based.
  • A maximum CISO budget reduction number that is half the impact of the CIO budget shrink rate year to year should be set. 

3.2 Definition of Security Controls

  • Security controls include activities, tools, and personnel protecting information systems from cybersecurity threats. This includes, but is not limited to:
    • People: Hiring and training cybersecurity personnel, including security analysts, engineers, and incident responders.
    • Processes: Developing and maintaining cybersecurity policies, incident response plans, risk assessments, and compliance management.
    • Technology: Implementing and maintaining security technologies such as firewalls, intrusion detection/prevention systems, encryption solutions, and security information and event management (SIEM) systems.

3.3 Exclusion of General IT Maintenance

  • Expenses related to general IT maintenance activities, such as routine patching, hardware repairs, and non-security-related software updates, must not be included in the 7% cybersecurity budget.
  • The CISO should not be held accountable for budget allocations for general IT maintenance activities (patching, operations and maintenance, power, etc) if these do not enhance cybersecurity directly.

4. Governance and Accountability

4.1 CISO Responsibility and Authority

  • The CISO must have direct control over the allocated cybersecurity budget to ensure it is spent effectively on security controls.
  • The CISO is responsible for planning, implementing, and overseeing all cybersecurity initiatives funded by this budget.

4.2 Separation of Budgets

  • Clear separation of budgets must be maintained between general IT operations and cybersecurity.
  • Financial records should distinctly categorize expenditures to ensure transparency and compliance with this policy.

4.3 SOC1/SOC2/HITRUST Compliance

  • Regular audits (SOC1, SOC2, HITRUST) should include checks to verify adherence to this policy.
  • Audits should ensure that the 7% cybersecurity budget is allocated correctly and used exclusively for enhancing security controls.

5. Reporting and Monitoring

5.1 Budget Reporting

  • The CISO must provide quarterly reports detailing the allocation and usage of the cybersecurity budget.
  • Reports should include specific spending breakdowns on people, processes, and technology.

5.2 Continuous Monitoring

  • Implement continuous monitoring mechanisms to track the effectiveness of cybersecurity investments.
  • Budget allocations should be adjusted based on the evolving threat landscape and organizational needs.

6. Policy Review and Updates

6.1 Regular Review

  • This policy should be reviewed annually to ensure it remains relevant and effective.
  • Involve the CISO, CIO, and other relevant stakeholders in the review process.

6.2 Updates and Improvements

  • Make necessary updates to the policy based on audit findings, technological advancements, and regulatory changes.
  • Ensure that all updates are communicated to and understood by all relevant personnel.

7. Compliance and Penalties

7.1 Compliance Requirements

  • Adherence to this policy is mandatory for all relevant departments and personnel.
  • Non-compliance will be addressed through internal disciplinary measures and may result in penalties as defined by organizational governance policies.

7.2 Enforcement

  • The audit and compliance teams are responsible for enforcing this policy.
  • Regular audits will ensure that the 7% minimum spend on cybersecurity is being met and appropriately managed by the CISO.

Conclusion

This policy framework aims to ensure that organizations within THIS INDUSTRY adequately invest in cybersecurity by mandating a minimum spend and providing the CISO with the authority to effectively manage and utilize these funds. By distinguishing between cybersecurity and general IT maintenance and ensuring compliance through regular audits, this policy will enhance the organization’s ability to protect sensitive data and comply with regulatory requirements.

Final Comment

Without this kind of policy framework kicking off the construction of a cybersecurity program, the entire principle of cybersecurity is just nice to have, subject to the whims of executives with much less to lose than the CISO they can blame. I can’t blame some of the people I know who have dropped out of the CISO role back into general IT or business consulting due to the mismatch between responsibility/accountability and authority/support. You have created a situation where the CISO must focus on the wrong things. You can move the numbers up and down based on the threat level, but in the end, this is about the only way you can guarantee your CISOs will have the resources to do the things you hold them accountable and responsible for until then. It’s an art, not engineering.  It doesn’t even have to be a federal law. The various frameworks, such as HITRUST, could require it in their next version, and SOC auditors could demand it for the next audit cycle.