Answer these 3 questions if you want to get your security projects funded

Before asking for funding for new initiatives, make sure you can answer these three questions

2014 11 07 cso 3 questions
Credit: BigStock

How do you handle the challenge of asking for money?

The subject of money is uncomfortable for many people. Whether you’re the leader tasked with deciding how to allocate budget, or the person making the case for funding, how do you do it?

Ultimately, security advances by selecting, funding, and focusing the right efforts. The projects that solve problems while improving the posture of the organization. The right projects need to demonstrate an increase in value.

I recently outlined 3 questions successful leaders ask before starting a new project on LinkedIn:

  • What is the urgency and priority of this effort?
  • How do we compare to our peers?
  • How much are you asking for, and what do we get?

Consider the impact and answer of each when it comes to information security.

What is the urgency/priority

Executives and decision makers are flooded with requests to fund projects. Since the person making the request typically invests a lot of time and effort into researching the elements, by the time they make the request, it is often the most important project (to them).

As such, if polled, everyone believes their project is urgent. Theirs is the highest priority. They deserve the funding. Every penny they asked for -- and maybe more, just to be safe.

What’s a decision maker to do?

When everything is a priority, nothing is.

Better questions:

  • What can we do to make the right decision easier?
  • How can we put the elements in context?

Perhaps a bit too subtle in writing about our need for better guidance, if we want better outcomes, we need to do a better job of helping executives and decision makers consider the priority of actions. In many cases, we present a huge list of options and “let the process” whittle it down.

Instead, we need to do the work and make the hard decisions first. We must consider the urgency of action, the context to make the decision. Then we can present a limited (keep it to 3) set of options that allow someone with a larger field of view to make the right decision.

I routinely come across security (and other) teams that have a list of 20-50 initiatives. And at the end of the year, they are frazzled. Worse, they often struggle to demonstrate results that addressed the challenge and increased value.

High performance teams have a defined list of 3-5 key initiatives that get the bulk of their focus. Done right, it produces the highest -- and demonstrable -- value for the organization. It harnesses energy and drives results.

Bottom line: when proposing any sort of change, solution, or project, take the time to consider and communicate the priority of the action. Include what it displaces.

How do we compare to others?

Sometimes a frustrating question, the answer provides insight into the challenge, how the industry is (or isn’t) handling it, and the relative risk of pursuing the recommended course of action.

Understanding position relative to others is also motivating.

Few people want to be behind the curve. Too far in front of others typically means using less proven solutions. They tend to be a bit more expensive (in part due to the learning curve) and carry more risk. Most executives seek a position of action on the leading -- not bleeding -- edge of the curve. Leading others generally represents the right mix of investment risk and reward.

Naturally, security poses a few challenges. Security is a quiet business. It is hard to accurately assess -- with some measure of objectivity -- how you rank relative to your peers. And the security landscape is changing.

As we work to adopt and adapt our solutions to the ‘assume breach’ mindset, sometimes we need to make a change sooner than others. It might take more time and effort to gather the evidence -- and tell the right story -- that helps reduce the fears of taking a different approach in advance of others.

Bottom line: use the methods you have available to you to paint an objective -- and verifiable -- view of how you’re doing relative to your peers in the industry. If you recommend something that feels a bit different, make sure the decision maker is presented with emotional, logical, and financial evidence to the merits of the approach.

How much are you asking for, and what do we get?

At the heart, this is a question of value. It garners a lot of confusion, especially when asked about “return on investment.” The real question is “what are we getting in return for investing this money?”

Executives are generally practiced at broadly understanding risk. They also tend to have a larger field of view - broader than technology or security. They have a responsibility to allocate funding to the projects that solve problems and help advance the organization. Tasked with increasing the value of the organization, they need a sense of how the effort does that.

That doesn’t mean they want an elaborate spreadsheet loaded with complex calculations. In most cases, they need a better sense of how the proposed solution addresses the problem. Asking “what do we get?” encompasses more than what is listed on the purchase order.

We need to provide a concise, accurate, and articulate understanding of:

  • How the solution addresses the problem
  • The expected experience for others (disruptive, makes their work harder, etc.)
  • How long it will take
  • How complex the effort is, including other teams and areas involved in the process
  • How certain we are that it will work

For us, that means stepping back to understand and clearly articulate the problem. We need to have a level of comfort that the solution experience addresses the challenge successfully. That also means considering:

  • How to measure the solution (including the baseline)
  • What success looks like
  • How others can quickly assess the status and success of the effort

Measuring what matters in security is a sometimes scary endeavor. To lead effectively means working through the discomfort to a place of performance. That requires measurement.

Aside: when I ask most leaders -- including those outside of security -- if they go back and measure their assumptions, the resounding answer is: “no.” Most explain it’s a good idea, offer they should do it. Yes. yes they should. Why wait?

Bottom line: you need to provide a story that demonstrates how the investment of time, money, and resources solves a problem. The more accurate and compelling the story -- including the expected journey and outcome -- the more likely you’ll get the funding you need.

Why wait? Get started today

Leadership is purposeful action.

Regardless of budget cycles, routinely assessing ongoing and proposed projects using these three questions increases the likelihood of successful projects. And if you want your program funded, then the more clearly you answer these questions -- using emotion, logic, and financial sense, the more likely you are to get the money and support you need.

Today is a great day to get started. Take an hour - 20 minutes per question - and explore what answers you come up with.

Take a current effort - perhaps a stalled project - and consider the answer to these questions. The process might reveal the pathway to get back on track. Or it might just reveal that the urgency, priority and effort just isn’t going to produce the right value.

While it seems awkward to admit some projects looked better on paper, it’s the mark of strong leadership. The ability to assess efforts and place focus on what matters most is a way to improve your career, your team, and the security program overall.

Let me know what you think of these questions and how they improve your efforts. Leave a comment, shoot me an email, or let’s discuss on twitter (@catalyst).

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.