Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: Accounting for Cybersecurity as an I.T. Budget Line Item… Are You Doing It Wrong?

Listen on Apple Podcasts
Listen on Google Podcasts

Quick Take

On this episode of Compliance Unfiltered, Adam and Todd chat about the importance of including cybersecurity specific line items in your annual Information Technology budget.

Curious how your organization should identify the drivers for your security and compliance? Wondering how you would go about figuring out how much it would cost to be properly covered? Thinking about how you’re going to pitch this to your boss?

Well, you’re in luck, as this week’s episode of Compliance Unfiltered has all these answers and more!

Read The Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now here’s your host, Todd Coshow, with Adam Goslin.

Welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Walrus to your compliance, goo goo ga choo, Mr. Adam Goslin. How the heck are you, sir? I’m doing good, Todd. How about you? I cannot complain, cannot complain, sir. But today, we are chatting about something actually quite interesting, I mean, as you talk about this in the landscape, especially today, and that is, if security is not part of your IT budget, you’re absolutely doing it wrong.

Now, why is it that companies are in a position of not having directly security related items in their annual IT budget? Well, it comes a lot from how organizations do what they do. In many cases they’ll be included, quote under IT, but without detail. Or there’ll be certain portions of the line items that are actually included in there, but not everything. Certainly not a full scale picture of what all does it take to run our security and compliance program. In a lot of cases, it also comes back to, and I’ve talked about this several times before, that you’ve got organizations that are under this misconception that their IT folks just know how to do security and compliance. So it’s almost like an assumption, well I’m paying for IT so we must be secure. Honestly, they couldn’t be further from the truth, and further from reality. It’s just a bad misconception. I don’t know a good example of it, but it’s like saying, hey, I know how to drive my car, but I couldn’t change the engine, they’re not the same. No, no, no, one of those takes a little more skill. And so, it’s just the way that it happened. You go back to God 20 years ago, and look at just how organizations would do what they do. And there was just always this presumption that my IT people, or my IT vendor, or my IT contractor just knows what they’re doing, and they’re doing it all correctly. And it’s just not the case.

So, folks budgets will contain varying line items that range from the delusional notion that, Oh, well, my IT people just know what they’re doing. And then when it comes to security through partial, but not all coverage, of the things that they need to have contained within their IT budget. For most organizations that’s typically folded up under IT, in some cases, they’ll budget it through other elements of the organization. Another steadfast is that, for whatever reason, organizations got into this notion that, well, we do an annual financial audit, so we’re going to fold up all of our security and compliance stuff under the people that were already doing audits. So, sometimes you’ll find some line items sprinkled over on the finance side of the organization, but more often than not, it’s either assumed, inferred, or primarily absent.

Now, how should an organization identify their drivers for security and compliance? Well, there’s several things that come into play for an organization as they’re dusting things off, wanting to take a gander at what they should be doing. Certainly, based on the industry that they’re in, the business vertical that they’re in, let’s say, there will be certain standards which would be directly applicable based on that vertical. So, as an example, if I’m in the medical space, then I’ve got HIPAA that’s going to be a consideration in the US. If I’m dealing with credit cards, then PCI is going to come into play. The industry, and the nature of the data will drive what they need to be adherent to.

The other thing that a lot of organizations miss is, you’ve kind of been signing up organizations with your company for the last fill in the blank number of years, and in each of those various contracts there’s various language that says thou shalt do this, and thou shalt do that, and thou shalt be adherent with fill in the blank. And a lot of times, especially the older contracts, it was a notion of yeah, yeah, yeah, we know that they put some stuff in there, but we’re just going to sign the document because we want to land the business. So when companies go back to those contracts, and assimilate them across the organization, a lot of times they’re surprised. So one of the other areas is, go into all of your existing executed contracts, and specifically not looking at my baseline template for how I do contracts today, because you know what you’re putting in. But really where it comes into play, in some cases the organization will take your contract and just sign off. In other cases they’ll take your contract and butcher it, red line it, and add in all sorts of additional doodads. In yet other cases, depending on how particular, and or special the target organization may be, they will mandate that you’re signing off on their paperwork. And so what you want to do is, you want to find where’s the executed agreement with so-and-so, and take a dig through it. You will be, in many cases surprised at the various things, that various people signed off on. And in many cases, those stipulations don’t even make it back to the IT crew, if somebody over in sales was executing agreements and saying yes, yes, yes, all the way down the line so they can land a sale. And, you might be surprised at some of the stuff you find when you go do a little bit of digging. The other piece that comes into play is what type of data is the organization needing to protect? What is it obligated to protect? Things along those lines. There’s a lot of various elements that will come into play as well. So, all of those should be drivers for the target organization to be able to go through, so they can figure out what does this program need to be implemented, or obligated to have controls for as an organization.

Now, how would a company go about identifying the various security specific expenses? Well, certainly if you already have a program that’s up and running, certainly if you’re already running through some type of a third-party process to go through, validate, and assess your existing compliance, then that’s typically a good place to start. Coordinating with your internal team, figuring out the various elements of evidence that we’ve got, what systems are being leveraged, what evidence is being sought, which tools and systems are supporting the security and compliance stance of the organization. And start assimilating those various security expenses through that process. Now, for many of the standards that are out there, one of the easy ways to go is, there’s often a section for which service providers do we have, and what function do they perform. Oftentimes it’s not every single person providing something, but it’s often a good place to start. So that would be one area, looking at your existing list of third-party service providers that you’ve got in play. Another is, as an organization, maybe the maturity of the program isn’t particularly high, or the organization took an approach of trying to do, we’ll call it the bare minimum, as they were going through their third-party scoped process. Then behind door number three would be, I’d go back to accounting and I would say, I want a list of anybody we paid in 2024, period. Now, is it gonna include a whole bunch of garbage you don’t need? Yes. But what it’s going to do is it’s going to, like unless they’re doing it for free, the organizations that are involved, then they got paid, right? And when you go out over the course of a year, that accounts for things like those services where you pay, you’ve got a much better rate, but you pay it all upfront type of a thing. That way, if I last paid for this in February of last year, then I’m not forgetting about it. So those are all good ways for going through and identifying the various out-of-pocket expenses that you’ve got.

Now, would you recommend just putting out-of-pocket expenses as like a line item, or is it more complicated than that? Well, it’s more complicated than that. Keeping in mind the context of this conversation was, hey, should you have security and compliance related line items on your IT budget? Well, when I look at it as an IT budget, for instance, then it’s not just the purchase price of fill-in-the-blank software, or it’s not just the purchase price of this vendor deal that we’ve got. There’s people, labor, and hours that go into supporting each of our security and compliance controls, or into supporting things like upgrades of whatever system that you’ve got.
So, that and just overall running of the program. I mean, the program, despite all of the, I’ll call it the flowery crap that you get from some of the people in the marketplace. You know , oh, just come with us, and all you’re gonna have to do is just figure out whether you want to sip on a Mai Tai, or a Molotov cocktails while we take care of everything. And it’s like, sorry, I don’t quite buy it, but yeah, good try. There’s real warm, live human beings that have to be involved in the process and help manage, coordinate, and gather present evidence, answer questions from assessors. And no matter how wonderful the delusional service you’ve got is, bottom line is, that you need to allocate and account for the man hours, in terms of supporting the overall program, that has to be a piece of this mix. So if I’m looking at general IT, I don’t know, maybe I’ve got six people in my department, right? Of the six people, how much of their time is going to security and compliance, versus how much of their time is day by day IT, versus how much of their time is managing, supporting, and patching the production environment, that type of thing. So you’ve got different uses, and different allocations, or different purposes for the labor hours that you’ve got, and you have to make sure that you get those labor hours included. Some would warrant, depending on the size of your team, that the labor hours is probably the biggest of those components. You’re probably spending more on the warm bodies, than you are on the various services and tools that you’ve got. So you’ve got to make that allocation.

Now, why is it important for organizations to make sure they have these funds specifically allocated? Well, I mean, when it comes time for, wabbit season, no, budget season. When it comes time for budget, a lot of organizations as they’re rounding out their fiscal year, usually the quarter before the budget year ends, is when people start lining up for having the conversations around their next year’s budget. And you want to have the detail specifically included, all the things I’ve talked about so far, these are all important facts, and elements. Because otherwise, if there’s just some sweeping notion, if everything’s just buried under this one line item called IT, it makes it a whole lot easier to just say, yeah, we’re gonna slash the budget by 5% or 40% or whatever the hell the number may be. And as you’re going in, as a leader within the affected department, if you will, you’ve got to be able to take a real hard look at the various line items, what those line items are being leveraged for, what can I do without, what can’t we do without, that type of thing. So you’ve got to have the detail at your fingertips in order to be able to come back and have the dialogue, depending on the state of the organization. I’ve unfortunately been a party to some, where basically they just weren’t doing well, and now we’ve gotten past, we’ll call it trimming fat, and we’ve gotten through the toning exercise, and now we’re having to go below the surface of the skin. Are we coming in cutting off flesh, or are we getting down to bone marrow and muscle? So it just depends on what’s happening with the organization. Certainly, there are times when business circumstances are basically going to dictate what do we need to do here. But you’ve got to walk in eyes wide open to what are the ripple impacts of what we’re about to go do. Because it’s one thing to go in and shave off 3%, and it’s quite another to have to drastically reduce the budget, or are being pushed to pull that budget down. In many cases, the drivers for the budget, it depends on the organization, right? Certainly, there are many in the organization that are driven by the overall perceived health of the organization, AKA net profit. So there’s always a driving force to push down cost within an organization. But that said, if you’re in a company where you’ve got some form of investor backing things, it very well could be that somebody far away from the day by day of the business, is basically making dollar decisions on profitability of the company and basically forcing budget cuts to maintain their desired target profitability for the organization. Regardless of the driving force, you have to add these numbers together, and that way you can speak intelligently about it.

Let’s talk about how to defend the budget year over year. I think that’s a major concern, especially in organizations where it’s like a use it, or lose it, a lot of the times. Like how, from an IT security perspective, does one go about defending their need for budgetary space on a yearly basis? Sure. Well, I’m going under the guiding assumption that the company’s not doing so poorly that they are forced to basically start lopping off limbs. So going under that guiding assumption, I mean, there’s certain security standards, and compliance paths which will require some form of a security compliance charter. And a core function of a well-written charter is, reporting on whether or not the team charged with ensuring the security and compliance of the organization, has enough budget in order to meet the objectives of the organization. And so, not only are you required to maintain a certain level through that particular standard, but one of those functions is literally reporting back up to the head honcho’s to say, hey, I don’t have enough dollars. I need more dollars for this, or I need more dollars for that, or you guys hacked the budget and now I’m not able to fulfill the obligations of the organization. So, it’s easy to make the decision at the time. However, it’s gonna come back around in many cases to haunt you because you as an organization, you’ve set this objective out.

Once an organization’s gone through, done all of their homework, know what standards that they need to, or chooses to go and be compliant with. Once you’ve gone ahead and met that standard, there’s a lot of fanfare typically, right? We’ve talked about throwing the compliance party, once you get through the hell, that is making it through your first run at a particular tough standard. Once you do that, you publicly tell people that we got fill-in-the-blank compliant. Clients, customers, partners, and prospects, have been going through and asking questions about, show us your paperwork, and show us your documentation, show us your report. So, if you’ve already set that that expectation with your various stakeholders, then their expectation is, it’s going to be at bare minimum maintained, if not preferably expanded and matured. So, they’ll absolutely perceive the budget reductions as heading in the wrong direction, and you’ll miss meeting those expectations.

In some cases, I’ve seen organizations that have quite literally done a hack job to the budget, and decided that, well, we don’t really need to do fill-in-the-blank related to security and compliance, only to basically get smashed in the face with a sledgehammer when it came to the conversations with their stakeholders, because their stakeholders will vehemently disagreed with their take. But the other thing that happens is, in an organization, especially for the leadership that’s not real familiar with who’s doing this, and how it’s being done, etc. Today every organization in some way shape or form, is receiving what I’m gonna call vendor security questionnaires. As those come in, basically it’s questions from the organization validating you performing certain things, performing certain functions that you’ve got, and certain solutions in place. Whether it’s indirectly requesting your overall compliance documentation, thereby what they’re really looking for, and looking at, is contained within that realm. Or, they’ll just come right out and ask for those questionnaires. For many years at this point in the game, they have been doing nothing but increasing, in terms of their stringency of things that are asked for.

We also talked about cyber liability insurance. That is another piece that plays into this. What a lot of folks don’t know, and if the listeners haven’t gone and listened to the the pods we’ve done on cyber insurance, and want a detailed walkthrough on that. Go listen to those. But the cyber liability insurance, when you go in and you sign off on these standards, a lot of times it’s just being done through your accounting crew, because they’ve always been in charge of insurance. A lot of time whoever’s filling it out, they’re just putting green check boxes down the line. Are you really doing it? Are you not doing it? Are you doing it properly? Who knows?
They’re just going down making pretty green check boxes. And meanwhile, you’re signing off to the insurance company. Yep. We’re doing this. We’re doing that. We’re doing the other thing. And those questionnaires for the insurance, man, I remember back in the day, it was like, I don’t know, 10 questions, and if you can answer these 10 monumentally high level questions, you too can have insurance. Yeah, that’s a thing of the past. These questionnaires these days, in some cases, are coming in 40, or 50 pages of detail needed to support the process. So, there’s a lot of various reasons why you have the capability to defend that budget year over year. The funnier part is, is that, a lot of those elements, really are at the core interest of the organization. The organization isn’t intending to say, well, no, we’re not gonna care about security and compliance anymore. However, when they take a hatchet to the budgets, that’s exactly what they’re putting at risk through that process. So certainly, for those in charge of the budgets that would support these programs, just make sure you’ve got your eyes dotted, T’s crossed, walk in ready to defend it. For most organizations, especially these days, it’s an important element of, we’ll call it, day by day running of a business, specifically IT. No doubt about it.

Parting shots and thoughts for the folks this week, Adam. Well, I mean, it’s unbelievably important for most organizations to focus on security and compliance. Whether you’ve just got personally identifiable information, but especially when you’re involving things like intellectual property, competitive advantage that you have in the marketplace. I mean, one of the things that I’ll say to people, I’ll say, look, if you’ve thrown up a shingle for a business, and someone is willing to pay you, then that means that you have a product or a service that is perceived of value they’re willing to pay for, and thereby you have something to protect. But, I mean, if you’re getting into PHI or PCI data, or potentially, depending on what arena you’re in, maybe even something that’s more sensitive, you gotta take this stuff seriously, and you need to make sure that you’ve got your ducks in a row for the day-by-day practitioners. It just comes down to having your fingers on the various data sets and elements that you need, in order to justify where this money’s going, and what it’s being used for. Yep, sure.

There’s often opportunities where, and especially if you’ve gone out and you’ve acquired some type of functionality, I’m not gonna name names, but I’ll just give an example. I found this with TCT, you go out, whatever, back in the day, you picked a particular vendor to support one of your security and compliance requirements. Fast forward five years, and now all of a sudden, your consumption’s gone up so much that, that bill’s getting really effing expensive. Sometimes, it does work to go back and do some renewed research. I mean in general, I’d recommend to the practitioners out there, at least every couple of years, maybe three at the most, go back and do a reassessment of the tooling that you’ve got, that you’re leveraging. There are additional options out there. What I found is, I was able to identify a more cost-effective solution than the one that I had been using for quite some time, which were great, but there was something better out there. Really for the folks listening. Would your clients be thrilled to have your name splashed all over Google because there was a breach? Even if it was just PII? I can’t tell you how many times I’ve heard, we don’t have anything, all we have is first names, last names, addresses, phone numbers, and emails. I mean this is public information. I’m gonna tell you what, you wanna see your customers hit ceiling tiles, just go ahead and get your company’s name splashed all over Google with just PII, and let me know how it works out. They’re not happy, man, they are not freaking happy. So companies can’t afford to not take this stuff seriously. And that’s part of the core reason why here at TCT we set about making the compliance management world suck less.

That right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.

KEEP READING...

You may also like