Home » Security Leadership » Metrics/Budgets

Security Budgets: Money Well Spent

When it comes to security budgets, less can be more. Here are seven tips for discovering how to squeeze every bit out of yours.

CSOs trying to stretch budgets should leave the technology heroics to others. Which doesn't mean you have to lead a new Luddite movement. At PPG, Becker lets other companies be the technology guinea pigs. "We like to think of our ourselves as fast followers," he says. "We don't jump in too early with most technologies; in fact, it's rare that we're ever a technology leader." Becker prefers to wait until the kinks have been worked out, after others have learned the hard lessons. Then he benefits from their experience when he feels the technology is ready. "I would never be comfortable pitching a biometrics application," he says by way of example. "We go with the sound, long-term, successful optionsin this case, closed-circuit TV and access control." That might sound a little dull, but it's certainly preferable to the excitement of having to explain to the board of directors why the expensive biometrics application you purchased last year didn't work out.

Free network scanning tools and open-source software can be tempting ways to increase security for CSOs who are looking to cut back expenses. Steve Katz, former CISO with Citigroup and Merrill Lynch, and current president of Security Risk Solutions, says that tight budgeting has led more than a few CSOs to turn to "free" tools. But he cautions security execs from blindly falling prey to their lure. "You'd better really know what's going on in that thing, and you'd better use a good code analysis tool," says Katz. "When you use tools like that, you may end up sleeping like a baby," he says sarcastically. "You get up every two hours and cry." 5 Communicate Early and Often CSOs may be good at talking with their teams, but when it comes to their executive peers, they're typically not as skilled. That only makes the task of budget planning harder because poor communication means that the security team doesn't know what business units have in the works and which projects will require security attention and expenditure in the coming year. "The security guys are often out of touch," notes Whit Diffie, CSO of Sun Microsystems. "In the long run, cost savings are going to be a function of better communication."

At Willis, one of the effective techniques Burnette has found for making sure that security is brought into the loop is the power of choice. Interaction with security is much more appealing for businesspeople when they have some control over what kind of security controls are going to be put in. Business units used to come to Burnette's security group with their projects nearing completion and ask for the cheapest solution possible. But now they come to security much earlier. Burnette lays out options for them in all price ranges. "We can put in this security, which is the Cadillac, or we can put in the Corvette or the Pinto version," he says. "I lay out the options, the cost and the risk and let business make an informed decisionand you know, they never choose the Pinto."