Home » Security Leadership » Metrics/Budgets

Security Budgets: Money Well Spent

When it comes to security budgets, less can be more. Here are seven tips for discovering how to squeeze every bit out of yours.

Most CSOs know by now that they have to be able to speak in business lingo in order to be successful, but budget issues are an area where this can be especially helpful. "We try to put [security] in business terms, and we outline it as we would any other cost benefit," Burnette says. "You have to think like they think, prove it, explain the risks, benefits and payback, and explain how it benefits their business bottom-line." Security doesn't have to make moneymost of the time it'll be a cost. But when making a request for funding, CSOs are often afraid to actually talk about money. They are in their element talking about the technology, but after business execs hear the words "robust and scalable" for the third time, their eyes glaze over and they're thinking about how they shanked the ball on the 14th hole. Instead, talk about the financial benefits of the investment you'd like business to make. An improved access control system can be tied to a reduction in theft losses at a facility, and an upgraded firewall can be translated into improved network uptime and a drop off in nuisance viruses. 6 Believe in Vendors OK. So, right now you're raising a single eyebrowmaybe bothand asking "When has a security vendor ever saved me money?" Probably never, we know, because most CSOs treat vendors like an opposing combatant in battle who just happened to end up in the same trench. But, if you turn those arm's-length relationships into strategic partnerships, you can squeeze a much greater benefit out of the money you're already paying them and offload security tasks that you don't have the budget to do in-house.

Try challenging your vendors to deliver more value for the exorbitant prices you're paying. "Push as much as you can onto vendors, and use their resources as an extension of your programs," suggests Bacon.

Avesian has formed strong relationships with his third-party providers, AT&T and IBM, and calls it a "real" partnership, as opposed to the kind that you hear about in a press release or advertisement. Representatives from IBM and AT&T are members of Avesian's security leadership team, and he goes to them for just about everything security-related, whether or not it falls within the delineation of their contract. He's had IBM host a disaster recovery workshop at Textron, runs security policies by them and has visited their security operations facility in Boulder, Colo., to see new technologies and further his own security education.