Information security staff need to be able to work with the capital they are provided. This is why cybersecurity needs must be clearly communicated to senior management early in the program. When a business case is developed for cybersecurity, it should not only include vague threat assessments and recommended risk responses. The cybersecurity team should have a decent idea of what the cost will be for implementing recommended risk responses. In business environments, the costs required for procuring resources are divided into CapEx and OpEx.
Capital Expenditures (CapEx) are the funds companies allocate to acquire, upgrade, and maintain essential physical assets like property, technology, or equipment, crucial for expanding operational capacity and securing long-term economic benefits. In the context of IT and cybersecurity, CapEx may include new server hardware, licenses for operating systems, and new storage devices for employee workstations. Operation Expenditures (OpEx) are ongoing costs necessary for a company to maintain its day-to-day business activities, often impacting its profitability analysis. In IT and cybersecurity, OpEx may include subscriptions for cloud computing services and contracts with external IT consultants or Managed Security Service Providers (MSSPs).
The program's budget authority is responsible for communicating available CapEx and OpEx funds and ensuring that plans for security controls and technologies do not go over budget. Senior management will designate a very specific budget for cybersecurity needs. In many cases, the provided budget will be quite low, as it is still difficult to convince businesses to spend good money on cybersecurity measures. This makes the budget authority an even more critical role. Clear communication of budgetary constraints may change the direction of an entire project. For example, IT staff will need to know how much money they can spend on implementing a business-wide Security Information & Event Management (SIEM) system. The staff may want to purchase a well-known proprietary system such as Splunk. However, the necessary funds may not be available. It is the budget authority's responsibility to jump in early on it in the System Development Lifecycle (SDLC) to communicate the lack of funds to the IT staff, requiring them to embrace an open-source SIEM solution such as Wazuh. Without this information from the budget authority, the IT staff would be planning for a project that was never actually going to happen.
The chosen individual to fill the budget authority role must have a clear understanding of the organization's budget. They need to be able to easily contact senior management, as well as have channels to the finance department. They also need to understand the nuances of IT, such as the quality differences between different products and vendors. To keep the information security program within scope, the budget authority should be heavily involved in the early stages of project planning.