By Joseph Fishel
How do you budget for the unknown? Cybersecurity has so few knowns and many unknowns. It is a new category to budget. How do you identify what will affect the budget? What steps can you take to “be prepared.” If you don’t identify these expenses early, they can blow your budget for the year.
The first thing you should do is identify the knowns. Do you have any Internet of Things (IoT) implementations going in? Have you identified the installation costs as well as IT/IS staff support costs to assist in the implementation. What will the annual license fee be?
Is it going up? While these are affiliated with cybersecurity, they may fall under different budgeting categories. What other licenses for cyber tools or fees to IT/IS do you spend for certain support? These are items that have identifiable costs.
So, what about those things that are unseen? First, you need to identify what they could be and if they apply. Are you planning on an inventory of your equipment to add IT/IS/Networking information to your database? You can’t run a cybersecurity program if you don’t know what assets you have and what type of information is on them, so you need this information. If you can, try to identify what the costs are. For instance, how much time will be utilized by in-house sources and what will that cost? What will be the cost to have someone come in and do the inventory? Depending on the size of the inventory it can be quite expensive so you don’t want to miss budgeting for it.
Another requirement may be the need to add a new field or fields to your database? If you are doing an inventory, you need to have somewhere you can collect the information as well as be able to data mine it. Questions to ask yourself are, “Can you add these fields yourself or will it require expense to have them added to your CMMS?”
For existing inventory, do you plan to gather that information when a technician is in front of the device doing a PM or repair? There is a hidden cost in that the length of the PM or the repair increases thus driving up maintenance costs. This needs to be done and is probably the most efficient way of gathering the information. It will take a year to go through the entire PM schedule of inventory. Do you have a year to do this? Another option is to form a team to gather this information. All of these options will cost money that is above and beyond the normal HTM budget.
How much time will be spent on patching? In the past, most equipment patching was left up to the manufacturer and often didn’t happen unless the devices were under contract, and it was part of the contract. Have you made an estimate of how much time will be needed to perform routine updates or patches?
When BlueKeep raised its head several years ago, we found that many of the devices hadn’t had the three service patches applied to them. We also found out that many of these service patches couldn’t be applied or they would break the device. Manufacturers had to create new software that would allow the three service patches to be applied to get to BlueKeep. Thousands of hours were spent patching up just to be able to apply the BlueKeep patch. Look back and see how much time you spent doing that and use it as an estimate. What cyber event will require this level of effort? It should be budgeted for.
What about new equipment coming in? The check-in times will increase as more information is gathered. Likewise, more and more equipment is being networked. This increases the time spent on it. To get a budgetary figure, look at the networked equipment that has come in over the past two years and take an average of the time.
Non-networked devices need to be budgeted for as well. They may also have a need for patching, and software upgrades, especially if they have the potential to be put on the network. They also can be corrupted if a corrupted thumb drive, tablet or computer is connected to them. This can be for servicing or by a patient trying to charge a device through a USB port.
One time eater, especially for management, is the creation and/or updating of the cybersecurity plan. This should be budgeted for whether it is addressed through a contractor, a dedicated employee or management. This is a very important piece and shouldn’t be overlooked as it sets the direction for you cyber program. Again, take a look at the time spent last year and add it into your budget.
These are just some of the things that should be considered and identified when creating a cyber budget.
Things like an IoT program subscription is an obvious expense, but what about updating an inventory to include cyber/network types of information? How much time will need to be added to the incoming inspection to gather information? Do you need to have additional data fields added or updated to your database? To gather data, will you hire for an inventory or add this gathering of information to PMs and service calls? How much time will be spent on patching, not only for normal patches but also for cyber-attacks as we saw with BlueKeep? These are just some of the things that need to be identified and calculated into your budget.
