How To Get More Cybersecurity Budget

April 3, 2018 | BY Gavin Harris

Additional Thoughts 11/28/2018

It's budget season for organizations and municipalities planning cybersecurity for 2019/2020

I just walked out of a meeting with an Atlanta area municipality and the conversation turned to 2020 budget season.  The Director of IT made a point of saying the City of Atlanta breach referenced below did raise awareness for him and his peers and the need for maintaining a clearly articulated cybersecurity program.  This awareness has loosened up some additional budget to fund some cybersecurity initiatives.  However, he also made a point of clarifying this doesn't mean unlimited access to funds.  As I wrote about below in March, it reinforces the importance of having a clear plan laid out that can effectively communicate the program, the gaps, and the progress made year over year with the additional budget being used to fuel initiatives.  


Living in the city of Atlanta, we have seen first hand what happens when an organization is not aggressive in addressing known vulnerabilities within their infrastructure. There are plenty of reasons why organizations are slow to act with a lack of budget and resources being at the top of the list. In today's world where threats are constant, it is no longer just "Name Brands" that are being hacked. 

Organizations must fight for the budget to mitigate risk or they are putting their head in sand

In the City of Atlanta example, a $50k ransomware attack will end up costing the city way more than the hackers $50k ransom demand.  Although politically unpopular to request more tax dollars or budget for cybersecurity, the changing landscape is requiring it. The City of Atlanta's lost productivity, delayed revenues to the city coffers and negative press will end up costing the taxpayers way more than an increased investment on the front end.

The challenge for many organizations is how to start a Cybersecurity Management Program

There are thousands of cybersecurity tools out there that say they can make you more secure. Organizations must build an ongoing Cybersecurity Management Program in order to communicate with their investors (be it a corporate board or taxpayer). Auditors, cybersecurity consultants and MSSPs can help highlight areas of concerns.  However, it is up to the organization to create a centrally organized "program" and use that as ammunition to justify increasing Cybersecurity budget requests.

For many organizations, auditors and consultants play a fleeting role.  Once the audit is complete, they provide a report of their findings aligned to a control framework like NIST or ISO27001 and move on to the next account. These reports (like the one received by the COA) often provide glaring insights into the gaps in an organization's cybersecurity posture. Unfortunately, without ongoing oversight or political will to invest in changes, these reports get put in the drawer when the next organizational fire drill takes precedence. Without an active, ongoing Cybersecurity Management plan with transparent executive oversight, many organizations are able to collectively "put their head back in the sand" and hope and pray that nobody exploits any of the known vulnerabilities.

For organizations taking on this challenge, you start with a living, ongoing plan, with action items that move the organization forward. Just like any SMART goals, if your organization isn't writing them down and collectively assigning ownership, they will not gain momentum. Every organization has areas within their cybersecurity program that can be reviewed and improved.  Apptega is helping organizations drive this accountability process with a centralized Cybersecurity Management program.  

Apptega customers start with an industry framework or best practices (like ISO 27001 or SOC 2) and build in other key controls to create a program unique to their organizational requirements. Once engaged in the process, they start to uncover areas of improvement. Unlike a spreadsheet and one-time audit, Apptega assigns ownership and holds people across the organization accountable to individual components of the program. Instead of the document sitting in the drawer, organizations are "eating the elephant one bite at a time" and making the changes and investments necessary to improve their posture. Our customers are highlighting the organization's strengths, areas of improvement and the gaining consensus on the plan to move the organization forward. When the auditors do come in, everything is centrally located and the process is collaborative and effective in highlighting areas to address in the upcoming quarters. 

Executive Committees want more insight into the organization's cybersecurity posture

CIOs and CISOs are becoming the new guest star at the Board Meeting.  Apptega Cybersecurity Management software customers have a repeatable, centralized program that provides reporting transparency to the people that control the budget.  With an increased level of transparency, CIOs and CISOs are now able to effectively communicate with the Executive Committee and help them make intelligent, informed decisions on investments that balance risk versus financial commitment. In return for the increased cybersecurity budget, Boards and Executive Committees have a mechanism to see progress and hold the organization accountable towards hardening the organization's cybersecurity posture.

"Sunlight is the best disinfectant." Justice Louis D. Brandeis


Let us help you get your Cybersecurity program in order.  Sign up for a demo to get started.

Schedule a Call


Originally posted April 3, 2018 with additional commentary November 28, 2018