You don’t have to be overwhelmed planning your IT risk management for 2016. Simply follow the four steps outlined over these two posts to create your 2016 budget.
First, define the security policies and controls that you’ll use to protect your company’s assets. As an example, you might implement the security policy “employees must change their passwords every 60 days” to protect your company. Your policies must meet standards and regulations such as HIPAA, SOX, FFIEC, GLBA, ISO 27001 and NIST.
It’s important to align the environment and culture in your organization with the policies you choose. Educate your teams to make sure they understand your company’s security aims and the methods to keep everyone safe. Understand the expenses that each department faces relating to security and allow for them in your budgeting.
As well as meeting the required standards or regulations for your industry, you also need to understand the standards that your client wants your organization to meet. If clients are required to hold your organization accountable to certain standards, you could face unforeseen expenses. Therefore, it is essential to understand these requirements from the outset.
Ask yourself the following questions about your security plans in 2016 and allocate money accordingly:
- Do you have explicit security policies that are formally documented?
- What industry standards or government regulations do you need to comply with?
- Have any standards or regulations changed since last year?
- Do any existing policies need to be changed?
- Have we as an organization looked at what security or regulatory requirements our clients and/or customers?
After the initial planning stage, you need to think about how you’ll use your 2016 budget to enforce your security policies. Use the Pareto principle: 20 percent of attacks cause 80 percent of damage, so you should focus on tackling these threats first.
At Garland Heart, we typically see security budgets of between 4 and 15 percent of a company’s total revenue. With such variation within the industry, there are ways to leverage strong IT risk management while reducing or maintaining costs in your organization. Many companies find that hiring the services of an external network security specialist can be a cost effective way of managing security risks, as it frees up the time of your internal staff so they can concentrate on their day-to-day responsibilities. Other ways to prioritize your implementation dollars is by simply risk rating the areas of potential loss, fraud, operational impact and/or business impact based on threats and regulatory obligations for your business. An analysis of previous unexpected costs and IT/operational efficiencies is also helpful. Security experts like Garland Heart can help you to use your existing security products to effectively enforce your policies.
Get in touch with Garland Heart today to find out how we can help you make the most of your 2016 security budget. Check out Part 2 of our 4-Step Guide to Security Budget Planning for 2016 to get more tips.