How to Get Budget for an IT Risk Assessment

A proper risk assessment is the cornerstone of establishing a sound security program. Risk assessments are also crucial when security professionals are looking to improve an existing security program.  That said, security budgets are almost always tight. Being able to justify even a modest, incremental cost for a security program can be challenging. This article will explore several strategies you can employ to secure the budget necessary for your risk assessment.

Find a necessary compliance reason

To secure the funding you need for your risk assessment modifications, you have to find a  compliance reason that justifies the cost. Stakeholders are much more likely to agree to your request if they are legally required to do so. For example:

• Does your organization include any HIPAA-Covered entities? If so, you can use this compliance mandate as a reason to get budget for a risk assessment. Of note, HIPAA fines are the first big stick with HHS/OCR mandated breach reporting and multiple significant fines to universities and on-campus medical centers.
• Many government and private research contracts require risk assessments as part of their terms (CUI/NIST 800-171, etc).
• Look for state or provincial mandates for your location, especially in states like Texas, Nevada, British Columbia and California. State mandates will do much more to encourage the review committee to approve budget modifications.
• Consider federal law and mandates from the Department of Education to protect student data (eg, FERPA and GLBA for Student Financial Aid). Risk assessments are an important first step in data protection.  They allow you to understand what data is where, who is responsible, and how best to protect said data.
• Have you had audit findings that point to a lack of risk assessment as a gap? Re-mediating the findings of an audit before the next review or audit can serve as a catalyst to efficiently secure the resources needed for a risk assessment.

Identify any current and significant risk

Another way to encourage successful approval of your budget requests is to quantify risk across the entire organization. You want to explain what the long-term security position will be with and without implementation. You’ll want to measure your security posture over time and make sure to identify any outlier units or departments. If you identify an element of risk that affects the entire organization, people are much more likely to approve the measures.

While a comprehensive risk management program cannot guarantee no breach will occur, it can go a long way towards understanding and quantifying your risks, reducing the likelihood of a breach, and more importantly, quickly understanding the scope and nature of compromised data in the event of a breach.

Employ a more productive tool

Improving a process to save time and/or money is another way to secure budget. If you can justify workflow solutions based on the time/money savings that would result from moving away from manual and non-scalable process (spreadsheets and surveys), you’ll have a much easier time getting the budget you need to perform your risk assessment.

Although some organizations will scrutinize outside expenses heavier than staff time, understanding and quantifying the hundreds of hours saved in question curation, emailing, follow up, compiling results, and reporting can make risk assessment workflow software a no-brainer for many organizations.

Use budget more strategically

Naturally, it is imperative that you deploy your budget in the most efficient way possible. To do that, you need to identify high areas of risk so that you can focus the approved budget and resources on the places where they will collectively have the largest impact on the institution.

Risk assessments are an effective way to quantify your organization’s risk and quickly identify areas of risk that run across your organization. They can show you which units/departments contain your most sensitive information, as well as outlier units/departments with higher risk scores relative to your organization averages. Having a clear picture of where you are most at risk allows efficient budget deployment to occur in an objective, transparent, and easily defensible way.

The fastest way to get budget?

Although there is no one-size-fits-all strategy, being able to advocate for important budget spend successfully relies on tying a risk assessment directly to mandatory compliance. Moreover, if you are able to link it to the entire organizational mission, you have a claim that stakeholders can’t ignore.

After deeming your budget request to be appropriate, your key goal will be making your risk assessment as efficient and effective as possible. By introducing automation tools, you can streamline your risk assessment workflow, measure risk over time, and ensure your efforts scale as your organization grows.