Question: Does executive leadership allocate dedicated budget and staffing for cybersecurity and data protection initiatives?
Objective — Why This Matters
Controls cost money and time. A small, ring-fenced budget and explicit capacity avoids half-built safeguards and failed audits. Treat cyber/privacy like any other core function.
Maturity Levels (0–5)
0 — Unaware
No budget; security funded from ad hoc expenses.
No budget; security funded from ad hoc expenses.
1 — Ad Hoc
One-off spend for tools or audits without plan.
One-off spend for tools or audits without plan.
2 — Defined
Annual line items for minimum controls and training.
Annual line items for minimum controls and training.
3 — Managed
Risk-based plan with owners, milestones, and KPIs.
Risk-based plan with owners, milestones, and KPIs.
4 — Integrated
Budget tied to risk reduction and compliance outcomes.
Budget tied to risk reduction and compliance outcomes.
5 — Optimized
Portfolio managed; ROI tracked; re-prioritized quarterly.
Portfolio managed; ROI tracked; re-prioritized quarterly.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Create a one-page “minimum viable security” shopping list (EDR, backups, MFA, training). |
| 1 → 2 | Add line items to annual budget; assign FTE/part-time capacity. |
| 2 → 3 | Build a risk-based roadmap with quarterly milestones and success criteria. |
| 3 → 4 | Track benefit metrics (incident reduction, audit closure) in reviews. |
| 4 → 5 | Introduce ROI/OKR style measures and adjust quarterly. |
People / Process / Technology Enablers
- People: Exec sponsor; budget owner; project manager.
- Process: Annual planning; quarterly review.
- Technology: Simple PM tool; KPI dashboard.
Evidence Required
- Approved budget sheet (redacted ok).
- Security roadmap; staffing plan.
- Review minutes showing funding decisions.
Metrics / KPIs
- % funded initiatives delivered on time.
- Δ incident rate and audit findings vs last year.
- % budget consumed vs plan.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Roadmap | GitHub Projects | Kanban with milestones. |
| KPIs | Google Looker Studio | Pulls from Sheets. |
| Time/capacity | Toggl Track (free tier) | Time allocation for the function. |
Common Pitfalls
- Buying tools without people/time to operate.
- No linkage between spend and risk outcomes.
- Starving foundational basics (MFA, backup, logging).
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | 7.1-7.3 (resources/competence) |
| NIRMATA Scoring | GL-Q04 expects documented budget + staffing evidence. |