ECRM Budget Philosophy

Blog #15 of ~20 in ECRM Framework & Strategy Series

ECRM Budget Philosophy

If you are starting this ECRM Framework & Strategy Series here, with Blog #15, you may wish to review some previous posts:

• #1, Introduction – Overseeing the Development of Your ECRM Framework and Strategy
• #2, Getting Started with the Development of Your ECRM Framework and Strategy
• #3, Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance
• #4, Basic Cyber Risk Management Terminology
• #5, Selecting and Adopting an ECRM Framework, Process, and Maturity Model
• #6, Risk Rating and Risk Appetite

(For the complete list of all posts in this ECRM Framework & Strategy Series, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

In each post in the series, I cover one or more aspects of developing your Enterprise Cyber Risk Management (ECRM) Framework and Strategy and associated sections of the Table of Contents of an ECRM Framework and Strategy document.

This series aims to explain the content needed in each part of the document and provide a good head start on developing and documenting your ECRM Framework and Strategy. 

Introduction

The topic of the ECRM Framework and Strategy and related documentation covered in this post is:

23. ECRM Budget Philosophy

(For the complete Table of Contents of an ECRM Framework and Strategy Document, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

So, how much should your organization spend on your ECRM Framework and Strategy and the cybersecurity strategy it produces? How must expenditures be justified? In whose budget should the ECRM and cybersecurity CapEx, and OpEx funds reside? What are the assigned roles and responsibilities for the ECRM budgeting process? Should ECRM and cybersecurity costs be considered part of the IT budget?  Should ECRM expenditures be regarded as an unusual bubble of costs that will ultimately be tamed and managed down as a percent of total OpEx, revenue, or some other denominator? How do you decide how much to spend on what? There are many ECRM budget and funding questions to consider.

Why Create an ECRM Budget Philosophy

Like other elements of your ECRM Framework and Strategy, increasing regulations and enforcement explicitly call for transparency in how your organization will fund and manage ECRM expenditures.

As an example, consider the SEC’s proposed Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks,[1] in which I highlighted, under risk management and strategy, specific proposed SEC disclosure items would require disclosure of whether cybersecurity risks are considered part of “the registrant’s business strategy, financial planning, and capital allocation, and if so, how”[2] and “whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.”[3]

As another example, both DFARS (Defense Federal Acquisition Regulation Supplement)[4] and the CMMC (Cybersecurity Maturity Model Certification)[5] aim to enhance the cybersecurity of the Defense Industrial Base (DIB) and ensure that contractors and subcontractors meet minimum cybersecurity standards. DFARS and CMMC recognize that cybersecurity is not just a technical issue but also a business issue that requires proper investment and resource allocation. DFARS clause 252.204-7012[6] requires contractors to “provide adequate security” on covered defense information (CDI) by implementing the security controls specified in NIST SP 800-171.[7] Providing adequate security requires proper resource allocation, which includes budgeting and capital allocation, to ensure that the organization’s information security program is adequately resourced.

What drives you to create an ECRM Budget Philosophy should go beyond law, regulation, and enforcement.  With the steady increase in cyberattacks and the reality that these adversarial and other threat sources may compromise your digital strategies, you must sure up your philosophy and processes around financial planning and capital allocation.

Boards are recognizing this requirement as part of an essential principled-based approach to ECRM as illustrated in the NACD publication Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards[8], which includes as Principle #4:

Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget. [Emphasis added]

The same principle was reinforced in NACD’s most recent 2021 Principles for Board Governance of Cyber Risk,[9] as well.

Cybersecurity spending has increased as organizations recognize the importance of protecting their digital assets from cyber threats. Last June, Gartner forecasted that “spending for the information security and risk management market would grow to $172.5 billion (current U.S. dollars) by the end of 2022, with a constant currency growth of 12.2%. They predicted the market will reach $267.3 billion in 2026, with a constant currency CAGR of 11.0% (2022 to 2026).”[10]  This growth is driven by various factors, including the increasing sophistication of cyber threats, the growing regulatory landscape, and the impact of digital transformation on organizational risk profiles.

While overall cybersecurity spending is on the rise, it is essential to allocate these resources effectively. Proper budgeting and capital allocation processes are critical to ensure that organizations appropriately invest in the areas that matter most for their risk profile.

It’s time for all organizations to focus on what is likely to be an increasing outflow of cash.

Building Your ECRM Budget Philosophy

Creating your ECRM Budget Philosophy can be done by discussing and agreeing to a set of maxims that address questions initially posed in the introduction above.  I discuss several of these maxims to provoke your thinking about your ECRM Budget Philosophy.

1. “Part of the ordinary course of doing business” maxim

Consider the words of Jamie Dimon, Chairman, and Chief Executive Officer of JPMorgan Chase. In his April 2019 Letter to Shareholders on the topic of cybersecurity, Dimon wrote:

I have written in previous letters about the enormous effort and resources we dedicate to protect ourselves and our clients—we spend nearly $600 million a year on these efforts and have more than 3,000 employees deployed to this mission in some way. Indirectly, we also spend a lot of time and effort trying to protect our company in different ways as part of the ordinary course of running the business.[11][Emphasis added]

Organizations do not need to match JP Morgan Chase’s spending benchmark! The point is that Dimon understands that investing in ECRM and cybersecurity is “part of the ordinary course of running the business.” This is the same way all organizations should look at their cybersecurity investments.  Call this the “Part of the ordinary course of doing business” maxim.  As a reminder, a maxim is “an expression of a general truth or principle…”[12]

2. “Risk-based expenditure” maxim

One day, before he was made President, some friends were discussing Lincoln and Douglas and comparing their heights. When Lincoln entered the room, someone asked him, “How long ought a man’s legs to be?” “Long enough to reach from his body to the ground,” said Lincoln coolly.[13]

The same could be said of funding your ECRM Framework and Strategy and the resulting cybersecurity strategy. Your organization’s spending on cyber risk management should reflect your organization’s unique assets, threat sources, threat events, likelihood, and other factors, including your organization’s specific risk appetite. Furthermore, since your expenditures should be all about mitigating risks, for every dollar requested, the most crucial question that C-suite executives and board members should ask is, “Will this expenditure reduce our cyber risks, and if so, when and by how much?” Ok, it’s a compound question, but hopefully, you get the point. <<cite article The Single Most Important Cybersecurity Question for the Board to Ask and Require Management to Ask >>.  Call this the “Risk-based expenditure” maxim.

3. “An ounce of prevention” maxim

Investing in ECRM is often more about cost avoidance and minimizing losses than revenue generation. There are few visible business rewards for stopping phishing or hacking attacks. At the same time, experiencing a cyber event can severely impact your organization’s revenue and margin and even put an organization out of business. In Stop the Cyber Bleeding[14], I discussed the American Medical Collection Agency (AMCA) case. Between 2018 and 2019, AMCA experienced a system hack that exposed the data of up to 20 million patients.[15] In 2019, AMCA’s parent company filed for Chapter 11 protection, noting in the court filing that the company had incurred “enormous expenses that were beyond the ability of the debtor to bear.”[16]

The fact is that your organization will spend money on cybersecurity in one way or another. Would you instead make those spending and allocation decisions proactively, with your organization’s best interests as the driver? Or will your spending occur reactively in response to a cybersecurity incident? In 1735, Benjamin Franklin famously wrote, “An Ounce of Prevention is Worth a Pound of Cure.” At the time, Franklin was writing about fire prevention, but his maxim applies equally to cyberattack prevention today. Call this the “Ounce of prevention” maxim.

4. “Business ownership” maxim

Who should own ECRM and cybersecurity expenditures? If not directly included in a business owner’s budget already, I would encourage the lines-of-business, functional, and process owners at least to be held accountable and responsible for ECRM and cybersecurity expenditures. Business owners’ lack of accountability and engagement has perpetuated the idea that ECRM and cybersecurity are somehow an “IT Problem.” It’s all part of making ECRM a team sport. 

Once again, encouraging a principle-based approach, NACD publication Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards,[17] includes as its Principle #1:

Directors need to understand and approach cybersecurity as a strategic, enterprise risk—not just as an IT risk. [Emphasis added]

This principle applies to senior management, lines of business, functional and process leaders, and everyone in the organization. Your company designs and processes to produce and deliver your products, services, and solutions.  These business processes are owned by the lines-of-business, functional, and process leaders and are supported by underlying data, systems, and devices—information assets. The CIO, CTO, and CISO may be stewards and custodians of these information assets and their associated risks. But they do not own the information assets or the risks; the business owners do.  With the assistance of the CIO, CTO, and CISO, lines-of-business, functional, and process leaders must decide which risks to accept, avoid, mitigate, or transfer. And they must own the budget for their decisions.  Call this the “Business ownership” maxim.

5. “Security-by-design” maxim

Organizations have, for decades, embarked on significant, transformational digitization and modernization programs which means more data, systems, and devices to manage and safeguard effectively. Along with all the digitization, there has been a host of new regulations and compliance mandates to assure the confidentiality, integrity, and availability of these data, systems, and devices. Only some, if any, organizations adopted security-by-design principles or built security into these new solutions. In Tips to Effectively Fund Your Enterprise Cyber Risk Management (ECRM) Program,[18] I defined the term “ECRM debt” to mean “…dollars that should have been spent on managing cyber risk while other dollars were rapidly being spent implementing yet again, more new digital solutions.  Said another way, managing cyber risks was, too often at best, an afterthought and not proactively considered as part of deploying the latest technologies.   

I recommend that you force a security-by-design approach by adopting the concepts of “authorization to operate” and “authorization to use” before approving the deployment of new solutions. Adopting these pre-authorization terms will help forge business ownership of risks and, therefore, ECRM and cybersecurity expenditures. To become familiar with these terms and processes, reference “Risk Management Framework for Information Systems and Organizations” NIST Special Publication 800-37, Revision 2.[19] Call this “Security-by-design” maxim.

6. “Business enabler” maxim

Creating an ECRM program requires the C-suite executives’ leadership and the board’s oversight. ECRM is not an “IT problem”; furthermore, if handled properly, it can become a business enabler. The C-suite and board must leverage ECRM successfully as a business enabler.  And this leverage can be enhanced by an enlightened view that ECRM is a business enabler. Effective ECRM enables organizations to securely deploy consumer-centric, technology-based innovations that engage customer trust and encourage customer confidence. While many businesses view cybersecurity as a cost center that needs to be minimized, it should be viewed as a business enabler that helps build customer trust and achieve business objectives.

According to Deloitte Global’s 2023 Future of Cyber survey,[20]

“Leaders are looking at cyber through a sharp, new lens—one that reveals the inherent business value that can come by embedding cyber. Not only across the enterprise, but as a crucial part of a powerful growth strategy.”

Three leading practices were identified—cyber planning, activities, and board involvement—that hinge on stakeholders recognizing the importance of cyber responsibility and engagement across the organization. Budgeting, financial planning, and capital allocation are critical cyber planning practices. This maxim is “Business enabler.”

ECRM Budget Philosophy

You can make your ECRM Budget Philosophy statement a formal policy. If you do so, it should indicate what you plan to do, why you plan to do so, the values of your organization, and what is expected of members of your workforce regarding ECRM recordkeeping and reporting.  As a reminder, think of policies are higher-level aspirational statements emphasizing “what” and “why.”  That is, what your course of action will be and why you’ve chosen this course of action. Your policy statement also establishes your good faith intent.

It should be based on the budget maxims that you develop, and as your budgeting and capital allocation process matures, you may further codify it in explicit procedures.

Summary

While there is some push from the increase in law, regulations, and enforcement, how your organization addresses ECRM and cybersecurity budgeting, financial planning, and capital allocation, it should be a function of your unique vision, mission, strategy, values, and services, all your unique data, devices, and systems that support your unique business, and all your unique cyber exposures across your entire enterprise.  Including a section in your ECRM Framework and Strategy document that covers ECRM Budget Philosophy is essential.

The chief output of the work discussed in this post is your organization’s ECRM Budget Philosophy based on the maxims that fit your organization.

In Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks, I discuss the SEC proposed rulemaking requiring registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy.  Your ECRM Budget Philosophy will help meet this and other emerging disclosure requirements.

You can visit my YouTube channel, Stop the Cyber Bleeding | Putting ECRM Into Action, which includes brief video clips covering many of the topics in this series. It may help guide the development of your ECRM Framework and Strategy and can be accessed and subscribed to at https://www.youtube.com/@stopthecyberbleeding/videos.

In the next post in this ECRM Framework & Strategy Series, I will discuss Integrating ECRM into Business Strategy, Financial Planning, and Capital Allocation<<hotlink>>, an essential input into making informed risk treatment decisions.

Questions Management and Board Should Ask and Discuss

1. How are your organization’s ECRM and cybersecurity budgeting, financial planning, and capital allocation conducted today? Is it facilitating good decision-making?
2. Which, if any, of these maxims can be adopted in your organization—”Part of the ordinary course of doing business,” “Risk-based expenditure,” “An ounce of prevention,” “Business ownership,” “Security-by-design,” and “Business enabler”—today?
3. Has your organization agreed upon and documented an ECRM Budget Philosophy?
4. Does your organization have a good governance structure in place, one that clearly articulates and oversees your ECRM and cybersecurity budgeting, financial planning, and capital allocation?
5. Do you have the internal resources with the appropriate skills, knowledge, and experience to facilitate the development of your ECRM Budget Philosophy?
6. Would engaging an experienced, reputable ECRM partner be valuable to establishing, implementing, and maturing your organization’s ECRM Budget Philosophy?
7. Does your ECRM Budget Philosophy meet the future requirements of SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposed Rule Changes today and enable you to accurately and comfortably disclose your “business strategy, financial planning, and capital allocation, and if so, how” and “whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.[21]?

Endnotes

[1] Chaput, Bob. Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks.” Enabling Board Cyber Risk Oversight. Nov. 21, 2022. Available at https://bobchaput.com/disclosure-of-a-registrants-risk-management-strategy-and-governance-regarding-cybersecurity-risks/

[2] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[3] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[4] Defense Federal Acquisition Regulation Supplement (DFARS). Accessed Mar. 9, 2023. Available at https://www.acquisition.gov/dfars

[5] CYBERSECURITY MATURITY MODEL CERTIFICATION. CIO DoD. Accessed Mar. 9, 2023. Available at https://dodcio.defense.gov/CMMC/

[6] 48 CFR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Available at https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7012

[7] Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST Special Publication 800-171, Revision 2. National Institute of Standards and Technology (NIST). February 2020. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

[8] Clinton, Larry, Higgins, Josh and van der Oord, Friso. “Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards.” National Association of Corporate Directors (NACD). Accessed March 4, 2020. https://nacdonline.org/insights/publications.cfm?ItemNumber=67298

[9] NACD. “Principles for Board Governance of Cyber Risk”. March 2021. Available at https://www.nacdonline.org/applications/secure/?FileID=319863

[10] Gartner Research. “Forecast: Information Security and Risk Management, Worldwide, 2020-2026, 2Q22 Update.” June 30, 2022. Available at https://www.gartner.com/en/documents/4016190

[11] Jamie Dimon. “CEO Letter to Shareholders, 2018.” JPMorgan Chase. April 4, 2019. Accessed January 8, 2020. https://www.jpmorganchase.com/corporate/investor-relations/document/ceo-letter-to-shareholders-2018.pdf

[12] Maxim. Dictionary.com. (n.d.) Accessed Mar. 6, 2023. Available at https://www.dictionary.com/browse/maxim

[13] Hamilton, M.A., “Story of Abraham Lincoln.” (n.d.). Accessed Mar. 8, 2023. Available at https://www.heritage-history.com/index.php?c=read&author=hamilton&book=lincoln&story=captain

[14] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[15] Davis, Jessica. “AMCA files Chapter 11 after data breach impacting Quest, LabCorp.” Health IT Security. June 18, 2019. Accessed Mar. 9, 2023. https://healthitsecurity.com/news/amca-files-chapter-11-after-data-breach-impacting-quest-labcorp

[16] Davis, Jessica. “AMCA files Chapter 11 after data breach impacting Quest, LabCorp.” Health IT Security. June 18, 2019. Accessed Mar. 9, 2023. https://healthitsecurity.com/news/amca-files-chapter-11-after-data-breach-impacting-quest-labcorp

[17] Clinton, Larry, Higgins, Josh and van der Oord, Friso. “Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards.” National Association of Corporate Directors (NACD). Accessed March 4, 2020. https://nacdonline.org/insights/publications.cfm?ItemNumber=67298

[18] Chaput, Bob. Clearwater Blog Post. “Tips to Effectively Fund Your Enterprise Cyber Risk Management Program (ECRM).” Apr. 29, 2022. Available at https://clearwatercompliance.com/blog/tips-to-effectively-fund-your-enterprise-cyber-risk-management-program-ecrm/

[19] Risk Management Framework for Information Systems and Organizations. NIST Special Publication 800-37, Revision 2. National Institute of Standards and Technology (NIST). December 2018. Accessed Mar. 9, 2023. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

[20] Deloitte. “2023 Global Future of Cyber Survey.” Jan. 27, 2023. Accessed Mar. 9, 2023. Available at https://www.deloitte.com/content/dam/assets-shared/legacy/docs/analysis/2022/deloitte_future_of_cyber_2023.pdf

[21] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf