Home » Security Leadership » Metrics/Budgets

Security Budgets: Money Well Spent

When it comes to security budgets, less can be more. Here are seven tips for discovering how to squeeze every bit out of yours.

November 01, 2003 — CSO — Except for the bone-crushing hits and the chop blocks, security isn't all that different from professional football. Really. Compare, for instance, your security budget with the annual salaries of professional football players. You'll find that both are based on tangible and intangible valuations. The salary paid to an NFL player is based largely on the stats of his gridiron performance—the number of sacks, rushing yards or touchdowns—and it will determine whether he can afford to buy The Hummer or will have to cheap out on a Land Rover Discovery. But there are other, softer factors reflected within all those zeros, like the player's marquee value, the number of kids who want to wear his jersey, and his leadership on and off the field.

Similarly, the security budget outlines the basics of how much staff the CSO can afford, the system upgrades that he can make and the new technologies that he can invest in. But it also takes into consideration some squishier facts about the security organization—its perceived value within the corporation and the respect accorded to the CSO and his abilities.

The big difference? In NFL contract disputes, when players say it's not about the money, it's usually about the money. When they say that it is about the money, it's really about respect. But for CSOs trying to eke every penny out of their security budgets, it's about both.

For many CSOs, their departments' cost-center status is not just an accounting designation, it's a state of mind. The good news is that the CSO is no longer the corporation's poor relation. Many say that their budgets have increased—even in some cases where funding for their business counterparts remained flat. Research findings confirm those anecdotal reports. In a worldwide study conducted by CIO (CSO's sister publication) and PricewaterhouseCoopers released in October of this year (see "The State of IT Security 2003," October), approximately 7,500 CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security were polled on their security spending habits. When asked to compare their 2003 security budgets with 2002, 45 percent of the survey's respondents indicated that their budgets would increase a little, with 17 percent claiming that the increase would be significant. Only 8 percent of respondents said that their budgets would decrease.

It turns out that increasing funding is not just a wish or a goal for the CSO, it's a strategic initiative. A full 30 percent of respondents reported that one of their top strategic objectives is to expand that budget even more. When respondents were asked what factors presented a barrier to good security measures at their organizations, a limited budget far outweighed any other response.