Hey, CSOs: Suck it up and accept budget cuts

Eric Cowperthwaite on why IT security often falls short of what it wants to achieve.

By George V. Hulme

October 05, 2011

Here at CSOonline, we've been taking a hard look at (what often seems to be) the great divide between business leadership and IT security, and how security teams are often out of step -- and touch -- with the rest of the business.

Some of the recent coverage includes "Cut The Security Jargon", "The Business/Security Disconnect that Won't Die" and this week's "Are You an IT Security Leader, Really?"

For ideas on how IT security pros might be able to close the communication gap with business leaders, we turned to Eric Cowperthwaite, chief information security officer of Renton, Washington-based Providence Health & Services.

With 28 hospitals, Providence has more than 50,000 employees located in Washington, Oregon, California, Alaska and Montana. Cowperthwaite has more than 25 years of experience in security & risk management, in both military and civilian organizations. He also knows something about what it's like to be found in violation of security regulations and what's necessary to fix it.

CSO: A lot of organizations are pulling back on their security spending and the reason for the cuts is often said to be because of the economy. Do you think they're cutting security specifically, or are the cuts a reflection of fewer IT deployments, so IT security is shrinking because the overall IT spend is shrinking?
Eric Cowperthwaite: I think that overall IT investments are flat to down in many organizations. I would also argue that for a decade IT security has been given carte blanche increases in their budgets. And when the financial meltdown hit, COOs and CFOs looked at that IT security spending and said, "You know what? All the rest of our business has to live within a budget that makes sense and they have to demonstrate value: How about if you did the same?" Also, many IT groups within businesses have had to take across-the-board hits, and so did IT security for the first time in a decade.

Many IT security managers whined about the cuts and don't think they are necessary, and possibly downright dangerous. I think they are clearly on the wrong side of the argument and reacting in the wrong way.

Some CSOs say that IT security has been underfunded long-term, and that the increases in spending were, or are still, needed to catch-up to where they need to be. With that argument in mind, how do you think they should be reacting?
Cowperthwaite: They should be reacting by saying, "I agree. I need to take a five percent cut just like the rest of the company and still figure out how to do my job just as well as I did it yesterday, if not even better." The heads of various business units are not saying, "Hey, sorry boss, I can't cut my budget. I don't care if revenue fell. The fact is that the days of just throwing money at the security problem are over, which I think is a good thing because just throwing tech at the problem hasn't worked. More broadly, however, what has happened simultaneously during the decade of almost unlimited expansion of security budgets, we also had 10 years of promoting people into information security leadership positions who weren't groomed as business leaders.

RESOURCE CENTER