Home » Security Leadership » Metrics/Budgets

Security Budgets: Money Well Spent

When it comes to security budgets, less can be more. Here are seven tips for discovering how to squeeze every bit out of yours.

Paul Viollis, a 22-year veteran of law enforcement and security and author of Jane's Workplace Security Handbook (Jane's Information Group, 2002), postulates that the greatest "technology" available to the security organization is one that is inexpensive yet generally ignoredthe power of corporate culture in achieving good security. "The most cost-effective way for any organization to allocate resources to security is to reengineer the culture of the company," says Viollis. "Training employees to be aware of security risks and how to handle them is far more effective than throwing money at a security front that isn't properly enforced."

And training doesn't have to be expensive. At Textron, Avesian's team created and launched an internal website devoted to security awarenessThe Textron Information Security intranet. The site's content is focused on the employee and contains security policy dos and don'ts. Avesian's barometer for what to put on the site was based on a simple question: "If I had only so much time to spend with each employee, what would I want them to them to take away from the conversation?" The result is a synopsis of the corporate security policies and guidelines that appears in seven languages on the site so that offices across the world can access them, as well as disaster recovery templates, frequently asked security questions, and security tips and tricks (such as a guide to creating secure passwords).

As a general rule, spending a little money up front to enforce a policy is usually cheaper than brazening out the potential long-term financial risks of doing nothing. Investing in enforcement mechanisms such as CCTV cameras at doors, for example, can help access control problems, will be cheaper than hiring guards and might even negate the potential financial liability that could be incurred if lax access control ever led to a serious security incident. When Mark Burnette first joined Willis Group as the global information security officer, he found that the company had plenty of good security policies but was lacking the necessary enforcement. "You can write a fantastic policy," he says, "but it only works if you enforce it and audit it." He updated the company's password policy to require more secure passwords, but the operating system at the time didn't provide any way to technically enforce it. Setting a secure password policy with no enforcement mechanism would have been pointless, so Burnette installed an add-on system component that would allow them to enforce it. 4 Become a Fast Follower Security is one area where there is no prize for first place. That's especially true when CSOs waste their budgets on new technologies that aren't quite ready for prime time. Being the first CSO to implement a brand-new technology might earn you the envy of your peers, but it probably won't get you the admiration of your CFO.