Slay the Compliance Dragon: Building a Compliance Budget

This is part 3 in our series on taking control of compliance management in 2019. Just now joining the conversation? Start at the beginning of the series.

The story so far: You’re on a quest to slay the compliance dragon—that monstrous beast that rears its ugly head every year. But not this year. This year, you’re taking control of your compliance management.

This is the third step in the process. By now you’ve gone through the first two steps:

  1. Survey the landscape of your compliance certification requirements
  2. Evaluate your vendors and auditors

Those are two big steps toward getting your arms around your compliance process. But now it’s time to get your hands dirty.

Successful compliance management depends on a successful budget. This may be the most challenging step to gaining control of compliance. There are no easy shortcuts, tips or tricks here.

Your budget is also critical to the rest of your journey—get your budget right and you’ll be well-equipped to gain control over compliance. Get it wrong and you’ll have a hard row to hoe.

For many CISOs, budget season is as dreadful as the compliance chaos itself. We won’t go over the step-by-step process for building a budget here, but we’ll equip you with the best practices that can get you the budget increase you need to slay that compliance dragon.

Set Your Budget Expectations

Shocked Blunt Talk GIF - Find & Share on GIPHY

Before you begin your budget, the most important thing to realize is that there is no silver bullet for security and compliance. Set expectations for yourself and others early on. If your company needs to take compliance seriously and get it completely under control, it will probably require a larger budget than you realize. Between internal and external labor costs, hardware and software, vendor services and third-party assessments, you could be looking at a budget of $250,000 per year. While many in the compliance management space dance around it, that number is real.

Can you do it for less money? Yes. But don’t expect a couple software tools and a hosting solution to give you a robust compliance solution. To slay the compliance dragon, you’ve got to be willing to invest in the right solutions.

Handpicked related content: A Simpler Way to Stay on Top of Compliance All Year

Prioritize Your Solutions

Season 2 Counting GIF by Portlandia - Find & Share on GIPHY

If you’re asking for a hefty budget increase for compliance management, you’re probably not going to get everything you want. At least, not all in one year. So it’s critical to know and communicate the items that you can’t live without. Prioritizing your line items gives you and your CFO a realistic picture of what it will take to achieve compliance sanity.

Categorize your line items into three buckets:

  • Need to have. These are non-negotiable items. If you don’t have them, you can’t be successful. They’re items that you don’t have the skills or ability to insource, so you really don’t have a choice—they’ve got to be budgeted.
  • Best to have. These are items you could insource, but it really doesn’t make sense to do that. It’s best for the business to budget for them, instead. For example, most compliance standards require daily log reviews. While you could handle that in-house, it could mean reviewing millions of lines of logs. Does it make a heck of a lot more sense to outsource that item? Absolutely.
  • Want to have. It’s harder to justify outsourcing these items, but it would be great if you could get them. For example, hiring someone to provide security awareness training. While you have internal resources who would do an adequate job, it would be one less thing on their plate. Outsourcing your training would be nice, but it’s definitely not critical.

As you work with your CFO to establish a budget everyone can agree on, it’ll be a lot easier to start trimming the fat with your “want to have” items. This will streamline your work, and protect your most critical requests.

Think Like a CFO

Looking Deep Thoughts GIF by TipsyElves.com - Find & Share on GIPHY

Generally, CFOs aren’t touchy-feely. For them, business decisions are black and white black and red. You need to walk into the budget meeting prepared, and that means thinking like a CFO.

Your job is to show why your budget request is important, and how it benefits the company from a business perspective. The latest developments in tech might be a motivator for you, but your executives generally couldn’t care less about the coolness of the latest and greatest. They just want to protect the business in a cost-effective manner and make it grow.

If you can show them the business case for each of your line items, and how they help the organization succeed, you’ll put yourself in the best position to win your budget request.

Related: Show Your CFO the ROI of TCT Portal

If you want to sell the CFO on your budget, you’ve got to do just that: sell your budget. It can be a huge challenge to figure out how to do that, because you’re not a salesperson. But that’s exactly what you have to be. It’s incumbent upon you to educate your executives on the importance of security and compliance to your company.

The best way to sell your budget is to understand the perspective of your audience. Put yourself in their shoes, spend some time thinking like a CFO. Ask yourself:

  • What are our executives’ top concerns?
  • What are their fears?
  • What are their goals?
  • What will they object to, and why?
  • What will raise a red flag, and why? How can I alleviate that concern?

If you can answer those questions, you’ll position yourself to defend your budget in a way executives can relate to. In general, the CFO and other executives are going to care most about these kinds of issues:

  • Minimizing costs and losses
  • Maximizing productivity and revenue
  • Preserving brand reputation
  • Retaining customers

Take a second look at that list. That’s exactly what good security and compliance accomplishes! All you need to do is show them how your budget is the best way to achieve that.

Related reading: Want Easier Compliance? Create a Culture of Compliance

Anticipate Questions

Robert Downey Jr Question GIF - Find & Share on GIPHY

Because you could be spending thousands of dollars per month on compliance, your budget will be placed under the microscope. So you need to walk into your budget meeting prepared to explain each of your line item requests.

Be ready for specific questions. The most common question you’ll hear is, “Why do we need this?” Be prepared with a specific justification for each line item.

Executives will also ask if you’ve done adequate research to justify your line items. They want to be assured that you’ve looked at several implementation/vendor options and to understand why your recommendation is the best one for the business. It will be helpful to have quotes from different vendors, options for different implementation styles and research that shows your choice is the smarter option.

Also be sure to keep abreast of the new alternatives that pop up each year. If your budget request is simply a rehash of last year’s request, you could be ignoring new solutions that cost less or perform better.

Advocate All Year

Bill Nye Spinning GIF by Nike - Find & Share on GIPHY

Part of your job as CISO is to educate the executives at your organization on security and compliance. They need to understand why it’s important and what compliance is shielding the company from.

When executives see the critical nature of security and compliance, they’ll want to invest in it. The tone and tenor of your budget meeting will be more open to spending, more collaborative and less defensive.

Educate your CFO and other executives about:

  • The importance of security and compliance
  • What could happen if this or that scenario were to happen
  • What could happen if you neglect security and compliance
  • Financial and brand repercussions if something happens
  • Other businesses that weren’t on top of their security and compliance

Share articles and news stories you come across that support the importance of security. Have conversations with your executives anytime you have the opportunity. Push to have security as an agenda item on recurring executive meetings. Whenever you can, provide hard numbers—stats, trends and dollars—because that’s a CFO’s native language. It’s all about putting the budget into a perspective that the CFO can latch onto.

This part of the budget process should be happening all year long, not just when you submit your budget request.

Be a Team Player

Will Ferrell Cheer GIF by Saturday Night Live - Find & Share on GIPHY

It’s easy to go into a budget meeting feeling defensive—especially since you’ll be expected to defend your request! Your expertise is being picked apart by a bunch of non-techies who don’t always get it. You’ll get a lot more items approved if you enter the meeting with a team-first attitude rather than an adversarial one.

Your CFO just wants to protect your company—which is the same thing you want. Show him or her how your budget request helps accomplish the very same goals that are keeping your CFO up at night. If they see that you’re in alignment with the goals and priorities of the company, your budget request will go much more smoothly.

Purchase Your Weapons

Shopping Buy GIF - Find & Share on GIPHY

At the end of the day, all of the compliance elements need to be covered in your budget. The question is whether to outsource or insource your resources. It’s your job to articulate the costs of those resources so that the CFO is making a fully informed decision. Regardless of the end decision, you need to communicate the cost allocation to internal resources.

Building a strong compliance budget sets you up for success along every step of the journey. A weak budget will only get you so far, but following these best practices will equip you to best slay that compliance dragon.

With your budget approved, you’re now ready to arm yourself with the right technology. We’ll tackle that topic in our next article.

There really is a better way to take control of all of your compliance information. TCT Portal connects the dots between your internal resources, vendors, auditors and your clients to make sure each and every certification is completed in a cohesive, coordinated manner.

See how easy it can be—schedule your live demo today.