I am new to being a manager, and have recently been tasked with putting together a budget for security. This has changed my entire point of view on business operations. So I am now curious....
What do you guys consider to be budget essentials for security?
How do you go about putting your budget together?
How do you accurately forecast your needs for the year?
Do you have any useful resources I can reference?
A long time ago I was taught that everything begins with policy, to inform people, who need products to do their job. I tend to follow these guidelines across all aspects of my work. To develop your budget you must under stand:
Policy: What functions are you obligated to perform or deliver on from all sources of policy and procedure: Legal requirements, regulatory requirements, business objectives, security framework and what every else fits within your scope. IF you haven't identified what you are required to do, you will end up wasting scarce funds on items that to not contribute to your bottom line
People: Our people are our best resource. Make certain that they understand what is expected of them and then provide them with the knowledge to deliver this includes: Salaries, contracts job specific training on what the organization's needs are, what the Risk Management processes that the organization follows are, and any technical training they may need. Do not assume that technical training alone will do the job, they must understand the business needs and impact to properly frame any technical training they receive. Otherwise you way wind up with a lot of expensive, cool and clever things that do nothing for your bottom line
Products: to be effective good people need good tools. To have good tools you need to understand the business needs and impact listed above. Prioritize a few well deployed tools that cover a lot of your attack surface over a lot of niche tools catering to this years buzz word bingo card. Also remember it is usually better to go with tools that are widely used I the industry over less known products with great marketing. You want people to be able to use these tools as soon as possible and it is better if people come in your door already familiar with your tools than have to pay and train your staff for products they have never encountered before. Be certain to plan for and include your incident response program an recovery costs in this list
Another key item is make sure you have some management reserve to play with, you never know what tomorrow is going to bring. the last thing you want to do is have your well thought out budget accepted and be made to stick to and fall victim to a failure of the imagination that you have no additional resources to address.
Hope this helps!
Ok so I am the security team lead for the building for a new data center and I found that a lot of the security equipment I was responsible for implementing and so on were all recommendation from the gap analysis that was performed by a third party entity.
While @StevenJ6052 already provided the most of it, let me sum it up, and add a tiny bit more....
It all starts with your security policies --- these should be tailored to your organization's requirements, while considering those of any regulatory authorities whose rules your organization is subject to.
The policies essentially state what you should have, and after that you can determine what you will need to achieve this. In terms of resources to meet requirements, there are Processes, People and Technology.
For example, the Network Security Policy states that your organization's network should be protected with a systems to prevent legitimate users from connecting to your LAN / Wireless network.To meet this, you might have a Procedure (Process) for your network to be secured with a Network Access Control (NAC) solution (Technology) which will be administered by a Network Security Engineer (People).
To determine your stance and gauge requirements, you'll have to do an initial assessment / Gap analysis --- vendors will sometimes offer this for free. As @Lamont29 said, if you've already had it done by a 3rd party, a good part of the job is over, and you could make use of this to draw up an RFP, although you could even find vendors who'll take care of that part for free.
These resources will have to be budgeted --- & those at the top are usually happier when they see a smaller figure, so you'll want to shave off what you can. For example, outsourcing a service often falls cheaper than purchasing and maintaining a solution yourself.
Finally, to forecast a budget, you have to consider how the organization is going to grow, & keep up with the latest threats and trends. The 1st part of that requires gathering information from the rest of the organization & the 2nd requires that you stay up-to-date.