Defining Budgets with Tim Rohrbaugh

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  That’s Tim Rohrbaugh, Founder/Principal at DefaultDenySec, former CISO for JetBlue Airways, advisor, investor: yup!  Another Cyber Ranch guest with an awesome history!  Tim and Allan were chatting a while back about budgeting cybersecurity programs, and they found out that they disagreed on a rather key point.  In true Cyber Ranch fashion, Allan immediately asked Tim to come back to the show and to dig into the issue with him.  They are starting with disagreement, which always makes for a better show...

1. Allan maintains that the cybersecurity budget should be tied to specific risks identified vs. specific business processes and/or assets as determined by Business Impact Analysis. In other words, we identify WHAT we care about, use BIA to tell ourselves HOW MUCH we care, and then we chart the risks to those processes and assets.  We then stack rank the risks based on impact but also plausibility (see prior show with Andy Ellis and Chris Roberts as to why Allan uses plausibility and not probability).  We then can sit down with the business and say:
   1. For $x we can address these top 5 risks
   2. For $y we can address these top 7 risks
   3. Etc, etc.
   4. Budgets are tight? Lower the risks addressed.  It’s that simple!

NOTE: Allan is cheating here with this simplification.  Run rate matters.  Our existing tech stack is already in play before we address specific risks.  So there is accretion there that must be acknowledged.  And the question is also begged:  How much does the already established run rate actually tackle specific risks vs. broad strokes?  EDR, for example, should already be present.  Do we say that EDR addresses the ransomware risk or the data leakage risk of HR data or the data theft risk of customer data, and/or…  You get the point.  Allan's model is not perfect.  But what Allan has ALWAYS stood against is the idea that the cyber budget should simply be expressed as percentage of revenue or percentage of IT budget or percentage of anything external to cybersecurity, really.

2. Tim, disagrees and finds flaws in Allan's model:
   1. Should we be tied to IT budget at all?  Tim says YES!
   2. Should we only be a percentage of revenue or overall organizational budget?  Tim says YES!
3. What is the value in capping budget via external measures like %age of IT spend or %age of revenue?
4. How do we tackle run rate vs. specific projects in your model? How does one choose what remains and what gets cut from the to-do list when budget tightening occurs?
5. What other benefits exist to Tim's model?
6. Is there a way to reconcile the two models? Is that reconciliation even necessary?