There's a security professional out there who was formerly the CSO at an online trading firm and now is CSO for a security product vendor. Without the faintest hint of irony, he suggests that the average corporate security budget should be 4 percent to 10 percent of total revenue. He says he's now comfortable with executives laughing in his face.
Naive as it sounds, it points to a real disconnect between security executives and the rest of the board. Even as security gets more money
And that's just the start of it. Although every trend indicates that physical and IT security will merge, a CSO survey shows that seven out of 10 companies haven't merged budgets for the two disciplines. Seasoned security professionals argue against IT security spending going under the purview of the IT department (because of conflict of interest), yet three-quarters of companies in the survey do just that, averaging 10 percent of their total IT budget devoted to security.
Security budgets overall are widely dispersed, according to the survey, with about a third falling under $100,000, a third between $100,000 and $1 million, and a third more than $1 million. Of course, it's hard to gauge if that's actually meaningful because some of those budgets will include all security expenditures, while others will omit certain items that, in the context of that particular company, fall elsewhere, like disaster recovery, loss prevention or audit functions.
And just to completely muck up the picture, a recent Office of Management and Budget study found, for federal agencies anyway, no correlation between an increased security budget and increased security effectiveness. All of which is to say, if you want a number for what makes a good security budget, we ain't got one. We're not even sure we can put you in a ballpark. If creating a security culture is like sawing through a piece of wood, budgeting is that knot that jams and bends your saw, and probably sprains your wrist.
So without hard facts to give you, we will resort to offering general truths about security budgeting. They are:
1. You need to increase your security budget. We can tell you that CSOs are understaffed and need more resources
2. Your CSO must target spending more wisely. But sometimes it's hard to tell if the budget a CSO gets is being well spent. Think of it this way: If you wear your seat belt for a year but don't get in an accident, was that an effective security measure? What will help answer that kind of question is, again, an increased focus on metrics and viewing security not as a binary spend (either it makes us safe or it doesn't) but as a risk equation (how safe does it make us relative to the cost?).
3. You should spend less on technology and more on education. CISOs, especially, seem to think the solution to every security problem is to throw more technology at it. "It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember an editorial suggesting that cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective," says Spernow.
4. Last, you should use common sense, even in the wake of a major incident. Too often, top executives succumb to their emotions after a major incident. Someone steals intellectual property, and, to avoid bad press, the company pays a hacker an extortion fee. That kind of overreacting is human, but it's also not the way to budget for security. It leads to wild overspending, followed by severe curtailing. It sends mixed signals about the value of security. It is a characteristic of a corporation that is reactionary to security, not proactive.
Trust us on this one: When you're reactionary, security execs will take advantage of you. "What's amazing about major incidents," says Stephen Northcutt, a former CISO with the Ballistic Missile Defense Organization, "is that the status quo ceases. At that moment, you can go to the top brass and ask them for anything, and they'll do it. Boom. And, 100 percent of the time, I've got something on my shopping list. And I'm completely brazen about it. It might have nothing at all to do with the incident at hand, but I'll get it."
The organization that inculcates security into its culture is more likely to budget well, so it all starts with awareness, education and executive endorsement. (By now, these are recognizable, recurring themes in this handbook.) And if your CSO asks for a budget of 4 percent to 10 percent of total revenue, it's OK to laugh
-Scott BerinatoPeer to PeerVIEW FROM THE CFO
Thinking about security has become second nature to us at Genzyme. In fact, security is an integral part of everything we do. Our company's lifeblood is intellectual property and the people who create it. So we're very aware of protecting both. Some companies have only begun to establish a stronger security sense since 9/11
Dave Kent, our vice president and CSO, and I work very closely together. We are members of common work teams and frequently meet informally. It is imperative that the CFO and CSO maintain a close relationship. Failing to maintain a close and open working relationship leads to potentially costly decisions.
As for educating ourselves about security, the senior management staff meets frequently
As a biotech company, it is vital for us to do it right the first time. Everything we do needs to be of unassailable quality, from the clinical trials to the protection of our employees. For us, there truly is no alternative. The risks are simply too great. Through the integration and involvement of security during the design phase, we avoid costly surprises later. We monitor all expenditures closely. We review what programs work and which don't. But in the end, it all comes down to early involvement and doing it right from the beginning.
Companies need to think about the CSO role as part of their daily business life. While September 11 increased the awareness and need for CSOs, we know that you can't think of security in terms of one-time events. Our employees, our patents and our business are simply too important to take a chance. Think of it like electricity. When the power goes out for most of us, it's an inconvenience that means we might lose some food in the refrigerator. But the repercussions of a power failure increase significantly for someone on a respirator or other medical device that is vital to his life. Nonsecurity executives need to think about security the same way. The costs of a security failure can easily become a determining factor of a company's success or demise.
Michael S. Wyzga is corporate executive vice president, corporate controller, CFO and chief accounting officer of Cambridge, Mass.-based Genzyme.Be the TortoisePLANNING
As the United States prepared to wage war on Iraq, peace of mind could be had for $20 at the corner store. Duct tape, potassium iodide tablets and a 5-gallon jug of water were the celebrated "duct and cover" of the terrorism age
But as the months went by with no new attacks on American soil, the water got drank and the duct tape unrolled, while the iodide pills gathered dust awaiting their expiration dates. Nothing had happened
That is a human reflex, and one that plagues corporate America as well. For businesses, the sequence goes like this: Perceive a threat, probably because something terrible has happened, like a website defacement. Scurry around throwing money at the problem for a month or two. Then, when nothing else happens, decide the money was wasted. Ignore threat. Reduce funding. Shampoo. Rinse. Repeat.
We overreact when something bad happens and underreact when nothing happens at all. That's no way to approach security. And nobody understands that better than a CSO. In fact, a primary role of the CSO is to help your organization find equilibrium
Sure, the CSO has selfish reasons for wanting to find this balance. Nobody wants to see his budget slashed in half one year and doubled the next; that's disruptive.
But the CSO, in advocating for equilibrium, also has your company's best interests in mind. Security
If something bad does happen, you may still need to react. Your organization's vulnerabilities might have changed, or maybe there's a new threat that needs to be addressed. But instead of cranking the security dial-o-matic from zero to 10 and then back down again, perhaps your CSO can help you nudge it from a five to a six.
None of this is quite as instantly gratifying as a new roll of duct tape, of course. But in the end, you'll be a whole lot better off.
-Sarah D. ScaletMoney Well Spent (and Spent and Spent...)BUDGETING
Stop viewing security as a cost center. Turn it into a business driver.
Nearly everything you do at the executive level is measured in terms of cost and benefit. You use raw data such as financial statements, actuarial tables and decades' worth of academically rigorous research to ensure that for the shekels you shell out, you're getting something in return.
Security, though, is different. Or it was different. Your CSO gets the message loud and clear that he should spend the least amount of money possible to protect the enterprise. Security has long been considered a function that requires spending
Security is a classic cost center. A comprehensive security program
Sounds like bad news. But it isn't. As security and the CSO role rise in prominence, executives will bring their CSOs and CISOs
Traditional theories and models of risk management must be inculcated into the security world, known for its traditionally dogmatic view. "If you don't manage risk, you're going to lose money," says security consultant Steve Katz, a former CISO for Merrill Lynch, Citigroup and J.P. Morgan. "Companies have been great about looking at credit risk or the risks of a particular customer or region. Companies and regulators are simultaneously beginning to realize the importance of operational risk and information security as a component of it."