AuditRubric
gv-rr-3 high Govern / Roles, Responsibilities, and Authorities

Adequate resources are allocated to cybersecurity commensurate with risk

A security program without budget is a security theater. Organizations that skip resourcing conversations end up with overloaded administrators, deferred tool purchases, and security debt that compounds until a breach forces the issue. Explicit resource allocation ties security investment directly to identified risk, making it defensible to leadership and auditors alike.

Estimated effort: 4h
governancebudgetresourcesstaffingsecurity-investment
Complete first: gv-rr-2 , gv-rm-1

Implementation steps

  1. 1

    Inventory current security resource commitments

    List every person (full-time, part-time, or contracted) with security responsibilities and estimate what fraction of their time is spent on security. Add up current tool, service, and training costs. This baseline shows you what you are actually spending today.

  2. 2

    Map resource gaps to identified risks

    Compare your current security capacity against the risks in your risk register. For each high-priority risk, identify whether you have the people, tools, and budget to address it adequately. Document the gaps explicitly so they become budget requests rather than wishful thinking.

    jiraconfluencenotion
  3. 3

    Establish a security budget line and annual review process

    Formalize security as a named budget category reviewed at least annually alongside business planning. Include headcount, tools, external assessments, training, and incident response retainer costs. Tie budget increases to specific risk reduction outcomes so the ROI conversation is concrete.

Evidence required

Security budget documentation

Records showing cybersecurity has a dedicated budget line with approved spending, reviewed and updated on a regular cycle.

  • · Annual budget spreadsheet with cybersecurity line items
  • · Finance approval for security tool and headcount spend
  • · Board or executive approval of security budget request

Resource gap analysis

A documented assessment comparing current security resources to what is needed given the organization's risk profile.

  • · Security roadmap with resourcing assumptions
  • · Risk register entries flagging resource constraints as a risk factor
  • · Staffing plan showing security headcount relative to scope

Related controls

gv-rr-1 critical

Organizational leadership is responsible and accountable for cybersecurity risk

Roles, Responsibilities, and Authorities
gv-rr-2 critical

Cybersecurity roles, responsibilities, and authorities are established and enforced

Roles, Responsibilities, and Authorities
gv-rr-4 high

Cybersecurity is included in human resources practices

Roles, Responsibilities, and Authorities
gv-oc-1 high

The organizational mission is understood and informs cybersecurity risk management

Organizational Context