1. Enterprise security costs need to be budgeted under by one cost centre to enable an enterprise level understanding of security TCO. In the absence of a centralised and single security budget (just to clarify again - utilization is by multiple entities), there is no executive appraisal of security TCO and multiple stake holders continue to spend on security without the enterprise security objectives addressed on a risk based criteria.
2. While in reality it may be fragmented, there is a huge potential to group all security spends under following key heads:
(a) Core Security Platforms including all elements of security oversight such as SIEM, VA, PT, AppSec tools etc (preferably under operational control of the security team and managed through a SOC) and also few other core security platforms such as DLP, IPS, Web filter etc (which may be under operational control of network/IT operations)
(b) Supporting Security Platforms including all security platforms deployed in the enterprise for end point security, infrastructure security, platform security, application security, and physical security
(c) Security Processes, Projects and Initiatives including implementation/enhancements costs and consulting engagements involving both Core & Supporting security platforms, as also GRC, DR, audits/assessments, security awareness etc.
(d) Security People including salaries of all full/part time employees and contractors/consultants working within the security team
3. During the process of the challenging migration from current security budgeting practices to the one outlined above, it may be necessary to continue budgeting one or more of the above heads outside of the security budget. However, there should be an exercise to create an enterprise inventory of such items, consolidate the budget figures, and tabulate them at the security steering committee with a view to appraise executive management of security TCO and create support for the need to have centralised security budgeting.
2. While in reality it may be fragmented, there is a huge potential to group all security spends under following key heads:
(a) Core Security Platforms including all elements of security oversight such as SIEM, VA, PT, AppSec tools etc (preferably under operational control of the security team and managed through a SOC) and also few other core security platforms such as DLP, IPS, Web filter etc (which may be under operational control of network/IT operations)
(b) Supporting Security Platforms including all security platforms deployed in the enterprise for end point security, infrastructure security, platform security, application security, and physical security
(c) Security Processes, Projects and Initiatives including implementation/enhancements costs and consulting engagements involving both Core & Supporting security platforms, as also GRC, DR, audits/assessments, security awareness etc.
(d) Security People including salaries of all full/part time employees and contractors/consultants working within the security team
3. During the process of the challenging migration from current security budgeting practices to the one outlined above, it may be necessary to continue budgeting one or more of the above heads outside of the security budget. However, there should be an exercise to create an enterprise inventory of such items, consolidate the budget figures, and tabulate them at the security steering committee with a view to appraise executive management of security TCO and create support for the need to have centralised security budgeting.