How you fund a CSO

There's a security professional out there who was formerly the CSO at an online trading firm and now is CSO for a security product vendor. Without the faintest hint of irony, he suggests that the average corporate security budget should be 4 percent to 10 percent of total revenue. He says he's now comfortable with executives laughing in his face.

Naive as it sounds, it points to a real disconnect between security executives and the rest of the board. Even as security gets more moneyan average 29 percent increase last yearthose in charge of security believe the budget increases are way too small, that a 77 percent increase is more justifiable.

And that's just the start of it. Although every trend indicates that physical and IT security will merge, a CSO survey shows that seven out of 10 companies haven't merged budgets for the two disciplines. Seasoned security professionals argue against IT security spending going under the purview of the IT department (because of conflict of interest), yet three-quarters of companies in the survey do just that, averaging 10 percent of their total IT budget devoted to security.

Security budgets overall are widely dispersed, according to the survey, with about a third falling under $100,000, a third between $100,000 and $1 million, and a third more than $1 million. Of course, it's hard to gauge if that's actually meaningful because some of those budgets will include all security expenditures, while others will omit certain items that, in the context of that particular company, fall elsewhere, like disaster recovery, loss prevention or audit functions.

And just to completely muck up the picture, a recent Office of Management and Budget study found, for federal agencies anyway, no correlation between an increased security budget and increased security effectiveness. All of which is to say, if you want a number for what makes a good security budget, we ain't got one. We're not even sure we can put you in a ballpark. If creating a security culture is like sawing through a piece of wood, budgeting is that knot that jams and bends your saw, and probably sprains your wrist.

So without hard facts to give you, we will resort to offering general truths about security budgeting. They are:

1. You need to increase your security budget. We can tell you that CSOs are understaffed and need more resourceshuman and financial. But the longer nothing bad happens, the more apathetic the CFOs and CEOs become about funding securitywhat CISO Bill Spernow of the Georgia Student Finance Commission calls security's "half-life." So don't become apathetic after six months of incident-free living, but also don't be afraid to demand some metrics to justify your continued empathy as well.

2. Your CSO must target spending more wisely. But sometimes it's hard to tell if the budget a CSO gets is being well spent. Think of it this way: If you wear your seat belt for a year but don't get in an accident, was that an effective security measure? What will help answer that kind of question is, again, an increased focus on metrics and viewing security not as a binary spend (either it makes us safe or it doesn't) but as a risk equation (how safe does it make us relative to the cost?).

3. You should spend less on technology and more on education. CISOs, especially, seem to think the solution to every security problem is to throw more technology at it. "It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember an editorial suggesting that cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective," says Spernow.

4. Last, you should use common sense, even in the wake of a major incident. Too often, top executives succumb to their emotions after a major incident. Someone steals intellectual property, and, to avoid bad press, the company pays a hacker an extortion fee. That kind of overreacting is human, but it's also not the way to budget for security. It leads to wild overspending, followed by severe curtailing. It sends mixed signals about the value of security. It is a characteristic of a corporation that is reactionary to security, not proactive.

Trust us on this one: When you're reactionary, security execs will take advantage of you. "What's amazing about major incidents," says Stephen Northcutt, a former CISO with the Ballistic Missile Defense Organization, "is that the status quo ceases. At that moment, you can go to the top brass and ask them for anything, and they'll do it. Boom. And, 100 percent of the time, I've got something on my shopping list. And I'm completely brazen about it. It might have nothing at all to do with the incident at hand, but I'll get it."

The organization that inculcates security into its culture is more likely to budget well, so it all starts with awareness, education and executive endorsement. (By now, these are recognizable, recurring themes in this handbook.) And if your CSO asks for a budget of 4 percent to 10 percent of total revenue, it's OK to laughunless that's what you need.

-Scott BerinatoPeer to PeerVIEW FROM THE CFO

Thinking about security has become second nature to us at Genzyme. In fact, security is an integral part of everything we do. Our company's lifeblood is intellectual property and the people who create it. So we're very aware of protecting both. Some companies have only begun to establish a stronger security sense since 9/11somewhat like hiring a CFO only when you need to close the books at the end of the quarter.

Dave Kent, our vice president and CSO, and I work very closely together. We are members of common work teams and frequently meet informally. It is imperative that the CFO and CSO maintain a close relationship. Failing to maintain a close and open working relationship leads to potentially costly decisions.

As for educating ourselves about security, the senior management staff meets frequentlyformally and informally. We use such occasions to review changes in our business, discuss both new and ongoing programs, and review functional areas. But it is the ongoing contact with Dave that provides the real education. Since we have had a CSO for so long, it has become second nature for us to integrate security into everything at Genzyme. The nature of our business dictates that everything we do has the highest standards built in. Security is part of those standards, and it starts at the top. If security is made a priority and it has become a natural part of your work life, you think of it less as an event and more as business as usual. For us, being smart about security is less a matter of spreading the education and more just a basic part of our lives. It's less of a process of who educates whom and more of a natural offshoot of our culture. Because the nonsecurity executives at Genzyme are aware of security, they tend to seek out Dave at the same rate as Dave educates them and their staffs. We think of it more as a dialogue than an educational series.

As a biotech company, it is vital for us to do it right the first time. Everything we do needs to be of unassailable quality, from the clinical trials to the protection of our employees. For us, there truly is no alternative. The risks are simply too great. Through the integration and involvement of security during the design phase, we avoid costly surprises later. We monitor all expenditures closely. We review what programs work and which don't. But in the end, it all comes down to early involvement and doing it right from the beginning.

Companies need to think about the CSO role as part of their daily business life. While September 11 increased the awareness and need for CSOs, we know that you can't think of security in terms of one-time events. Our employees, our patents and our business are simply too important to take a chance. Think of it like electricity. When the power goes out for most of us, it's an inconvenience that means we might lose some food in the refrigerator. But the repercussions of a power failure increase significantly for someone on a respirator or other medical device that is vital to his life. Nonsecurity executives need to think about security the same way. The costs of a security failure can easily become a determining factor of a company's success or demise.

Michael S. Wyzga is corporate executive vice president, corporate controller, CFO and chief accounting officer of Cambridge, Mass.-based Genzyme.Be the TortoisePLANNING

As the United States prepared to wage war on Iraq, peace of mind could be had for $20 at the corner store. Duct tape, potassium iodide tablets and a 5-gallon jug of water were the celebrated "duct and cover" of the terrorism agebought, paid for and carried home in a paper sack. Here was something tangible that Americans could do, or at least think about doing: They could seal windows against chemical and biological agents, protect their families from radiation poisoning and have drinkable water in case the reservoirs were somehow poisoned. Problem solved.

But as the months went by with no new attacks on American soil, the water got drank and the duct tape unrolled, while the iodide pills gathered dust awaiting their expiration dates. Nothing had happenedso why bother buying more supplies? Crank the security threat dial-o-matic back to a one, kids, or maybe even a zero.

That is a human reflex, and one that plagues corporate America as well. For businesses, the sequence goes like this: Perceive a threat, probably because something terrible has happened, like a website defacement. Scurry around throwing money at the problem for a month or two. Then, when nothing else happens, decide the money was wasted. Ignore threat. Reduce funding. Shampoo. Rinse. Repeat.

We overreact when something bad happens and underreact when nothing happens at all. That's no way to approach security. And nobody understands that better than a CSO. In fact, a primary role of the CSO is to help your organization find equilibriumto ensure that you don't foolishly spend your wad on iodide tablets one day, when what you really should do is have ongoing family discussions about how and where you would find one another during an emergency.

Sure, the CSO has selfish reasons for wanting to find this balance. Nobody wants to see his budget slashed in half one year and doubled the next; that's disruptive.

But the CSO, in advocating for equilibrium, also has your company's best interests in mind. Securitygood security, that isis about risk mitigation, not response. It's about prevention, not reaction. And it's about long-term solutions, not quick fixes.

If something bad does happen, you may still need to react. Your organization's vulnerabilities might have changed, or maybe there's a new threat that needs to be addressed. But instead of cranking the security dial-o-matic from zero to 10 and then back down again, perhaps your CSO can help you nudge it from a five to a six.

None of this is quite as instantly gratifying as a new roll of duct tape, of course. But in the end, you'll be a whole lot better off.

-Sarah D. ScaletMoney Well Spent (and Spent and Spent...)BUDGETING

Stop viewing security as a cost center. Turn it into a business driver.

Nearly everything you do at the executive level is measured in terms of cost and benefit. You use raw data such as financial statements, actuarial tables and decades' worth of academically rigorous research to ensure that for the shekels you shell out, you're getting something in return.

Security, though, is different. Or it was different. Your CSO gets the message loud and clear that he should spend the least amount of money possible to protect the enterprise. Security has long been considered a function that requires spendingwith little or no measurable benefit on the investment. That's a discomforting thought when you're used to applying everyday business metrics to expenditures.

Security is a classic cost center. A comprehensive security programincluding physical and IT security, fraud prevention, workplace safety and intellectual property protectionis no longer optional, according to Tina LaCroix, vice president and CISO of Aon. What's more, she says, "It's a forever commitment, not a one-time expense."

Sounds like bad news. But it isn't. As security and the CSO role rise in prominence, executives will bring their CSOs and CISOsand their security requestsinto the world of business, where investments are rigorously measured as something that must be proven beneficial.

Traditional theories and models of risk management must be inculcated into the security world, known for its traditionally dogmatic view. "If you don't manage risk, you're going to lose money," says security consultant Steve Katz, a former CISO for Merrill Lynch, Citigroup and J.P. Morgan. "Companies have been great about looking at credit risk or the risks of a particular customer or region. Companies and regulators are simultaneously beginning to realize the importance of operational risk and information security as a component of it."

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies