Security's Double-Edged Success

One anonymous CSO's account of the ironies of the security budgeting process.

. What's this?

By

September 04, 2002CSO — I am a victim of my own success.

You see, I've done a good job as the CSO of a major corporation. And because I've done my job so well, my company hasn't suffered any major attacks. But then—precisely because I've done my job so wellno one sees the real value in the day-to-day security operations that keep the company safe. It's the quintessential thankless job.

So now the company's CIO wants to cut my budget. "There's not much we can do about it," he says. "We're cutting budgets across the board. Why are you so uptight?"

"Because when you cut back on your budget, you have some wiggle room. You can cut things that are not so vital. We just get slower laptops. Or maybe we don't get the upgrades to existing systems we want," I observe. "But when I cut back on the security budget, I put the whole company at risk. If I don't have the people and the technology to detect attacksor if I lose the funds to implement protective systems to keep new attacks away—we can be taken down to the pavement in very short order."

"Well, still," he says dismissively, "you'll just have to cut back like the rest of us and do less."

And that, as they say, is that.

Oh, sure, I could quote to him all kinds of statistics about what happens during an attack. I could talk about the financial decimation that can level a company that has been attacked. I certainly know where to get the latest CERT Coordination Center statistics that show how attacks have quadrupled since 2000. I subscribe to all the standard trade publications, have access to the IDC reports database and read all the industry analyst reports. I have the FBI and Computer Security Institute annual survey. I attend conferences sponsored by the Information Systems Audit and Control Association, the Institute of Internal Auditors and Internet Security Alliance. Heck, I talk to other CSOs who have been attacked. I know the situation with security attacks is bad, and I know it's getting worse. I know that my company could be next in line.

And yeah, I have done the management education thing. I've thrown the "Do you see how much we spent to fix the crisis?" question at them. I've used various penetration analyses to demonstrate how we can get bounced.

But no one here listens. That is, until something ugly pops up and causes a major security event to occur. Then, of course, all bets are off. Management points fingers and demands security assistance. Employees try to affix blame on the security department for the lack of care and feeding. Probablyway deep downeveryone realizes that it's not our fault. But someone has to take the blame.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER