Home » Security Leadership » Metrics/Budgets

Security Budgets: Money Well Spent

When it comes to security budgets, less can be more. Here are seven tips for discovering how to squeeze every bit out of yours.

On the flip side, CSOs as a group can also be prone to overreaction. Post-9/11, some CSOs took advantage of the loosened security purse-strings. "A lot of folks don't take the process seriously enough. They're too quick to judge," says Michael Bacon, vice president and corporate security manager at Wells Fargo. Bacon notes that after 9/11, his team didn't run straight to management clamoring for more funding; instead, he put management on notice. "We said, 'We will be coming to you, but first we're going to do a thorough assessment of our needs.' We focused on quality versus speed." The only people who usually benefit from a knee-jerk emotional reaction to a security event are the vendors. Remember: When pursuing budget dollars, CSOs need to be calm, deliberate and forceful.2 Don't Pass the Buck, Pass the Check Another strategy for cost savings is to look at exactly what is included in the budget. Are there projects and programs that shouldn't be there? "Security organizations often pay for big corporate programs that should be moved into a business unit's budget," says Bacon. At Wells Fargo, the security group looks for opportunities to farm those expenditures back out to the business units. They are, after all, the beneficiaries of many of these security programsthey just don't realize it yet. This is often due to a poor sales job on the part of the security team. CSOs must do the legwork of selling business units on the benefits of new security technologies and programs, and that can be hard for an organization that tends to be autocratic with its peers. When successful, however, it's an effort that quite literally pays for itself.

Bacon finds that an effective technique for getting the business side to pay for a security initiative is to take his argument to finance before trying to sell it to the individual business unit. "For CFOs, consistency is king," says Bacon, who notes that once you get the financial folks to sign on to the notion that a business unit should pay for its security initiatives, it becomes much easier to float that idea in the future. It's also much easier to then sell the cost of the program to the business unit with the CFO's seal of approval.

That strategy requires a particular delicacy, especially in companies where the security budget has increased but where budgets for operating units have remained flat. Bacon expects a 15 percent to 20 percent increase in his budget for security equipment, although the corporate stance is flat on business unit budgets and staffing across the board. That, he says, places an even greater pressure on security to justify the dollars it gets while asking business units to invest in security as well. 3 Practice Pavlovian Security CSOs can save themselves considerable security budget wrangling when they lean on policies, procedures and behavior modification techniques instead of expensive technology solutions. "Nine times out of 10, policy changes are more valuable than a financial expenditure," says Bacon. Instead of hiring guards and putting in an expensive card access control program, try locking a door or putting up a wall. If policy changes are your weapon of choice, work with HR to put in consistent penalties for the petty but pernicious offenses of letting unauthorized people through access controlled doors or propping a door open with a trash can.