Security Budgets: Money Well Spent

When it comes to security budgets, less can be more. Here are seven tips for discovering how to squeeze every bit out of yours.

Except for the bone-crushing hits and the chop blocks, security isn't all that different from professional football. Really. Compare, for instance, your security budget with the annual salaries of professional football players. You'll find that both are based on tangible and intangible valuations. The salary paid to an NFL player is based largely on the stats of his gridiron performance—the number of sacks, rushing yards or touchdowns—and it will determine whether he can afford to buy The Hummer or will have to cheap out on a Land Rover Discovery. But there are other, softer factors reflected within all those zeros, like the player's marquee value, the number of kids who want to wear his jersey, and his leadership on and off the field.

Similarly, the security budget outlines the basics of how much staff the CSO can afford, the system upgrades that he can make and the new technologies that he can invest in. But it also takes into consideration some squishier facts about the security organization—its perceived value within the corporation and the respect accorded to the CSO and his abilities.

The big difference? In NFL contract disputes, when players say it's not about the money, it's usually about the money. When they say that it is about the money, it's really about respect. But for CSOs trying to eke every penny out of their security budgets, it's about both.

For many CSOs, their departments' cost-center status is not just an accounting designation, it's a state of mind. The good news is that the CSO is no longer the corporation's poor relation. Many say that their budgets have increased—even in some cases where funding for their business counterparts remained flat. Research findings confirm those anecdotal reports. In a worldwide study conducted by CIO (CSO's sister publication) and PricewaterhouseCoopers released in October of this year (see "The State of IT Security 2003," October), approximately 7,500 CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security were polled on their security spending habits. When asked to compare their 2003 security budgets with 2002, 45 percent of the survey's respondents indicated that their budgets would increase a little, with 17 percent claiming that the increase would be significant. Only 8 percent of respondents said that their budgets would decrease.

It turns out that increasing funding is not just a wish or a goal for the CSO, it's a strategic initiative. A full 30 percent of respondents reported that one of their top strategic objectives is to expand that budget even more. When respondents were asked what factors presented a barrier to good security measures at their organizations, a limited budget far outweighed any other response.

But the reality for CSOs is that no matter the size of the security budget, it never seems adequate when weighed against the growing risks and responsibilities they need to tackle. "Is it enough?" asks Greg Avesian, vice president of enterprise infrastructure and security for Textron, where the security budget increased this year. "It's never enough. I have to make the most efficient use of those valuable dollars."

We asked CSOs to share with us their strategies for making the most of their security budgets, and we gleaned their advice on the best, and worst, areas to make cuts.1 Be the Chief Self-Esteem Officer Think of it as taking a Stuart Smalley moment. Recalling the Saturday Night Live therapist who began each skit with his daily affirmation, CSOs are good enough, smart enough and, doggone it, people like them. So have the confidence in your own judgment, and push back for funding when it's necessary.

To many, CSOs are the guys who step in at the last minute and delay business-critical projects by adding expensive controls of which only they can see the value. Many suspect that their peers have internalized those perceptions, affecting their ability to push through the funding for necessary initiatives.

And because they often have military and law enforcement backgrounds, CSOs also tend to be individuals who have a great deal of respect for authority, says Marene Allison, director of global security for Avaya. "In many situations, the security person is used to being compliant, and I sometimes think we need to learn to be a little more aggressive, to toot our own horns a bit more," she says. That doesn't mean getting in the face of every executive who disagrees with you. "You don't want it known that the security director took down some executive over business continuity planning," she cautions, but CSOs have to be more forceful about pushing back on important budget issues instead of taking "no" as the last word.

Regis Becker, global director of security and compliance for PPG Industries and former president and chairman of ASIS International, was actually reprimanded early in his PPG career for being too compliant. "I have a law enforcement background, and I was told that I had an almost unhealthy respect for hierarchy," he says. Becker's manager at that time told him that he was too deferential to the chain of command and suggested that if he had a funding request he felt was critical, he should take it straight to the CEO and dispense with the often fruitless process of bouncing the initiative off a succession of underlings.

On the flip side, CSOs as a group can also be prone to overreaction. Post-9/11, some CSOs took advantage of the loosened security purse-strings. "A lot of folks don't take the process seriously enough. They're too quick to judge," says Michael Bacon, vice president and corporate security manager at Wells Fargo. Bacon notes that after 9/11, his team didn't run straight to management clamoring for more funding; instead, he put management on notice. "We said, 'We will be coming to you, but first we're going to do a thorough assessment of our needs.' We focused on quality versus speed." The only people who usually benefit from a knee-jerk emotional reaction to a security event are the vendors. Remember: When pursuing budget dollars, CSOs need to be calm, deliberate and forceful.2 Don't Pass the Buck, Pass the Check Another strategy for cost savings is to look at exactly what is included in the budget. Are there projects and programs that shouldn't be there? "Security organizations often pay for big corporate programs that should be moved into a business unit's budget," says Bacon. At Wells Fargo, the security group looks for opportunities to farm those expenditures back out to the business units. They are, after all, the beneficiaries of many of these security programsthey just don't realize it yet. This is often due to a poor sales job on the part of the security team. CSOs must do the legwork of selling business units on the benefits of new security technologies and programs, and that can be hard for an organization that tends to be autocratic with its peers. When successful, however, it's an effort that quite literally pays for itself.

Bacon finds that an effective technique for getting the business side to pay for a security initiative is to take his argument to finance before trying to sell it to the individual business unit. "For CFOs, consistency is king," says Bacon, who notes that once you get the financial folks to sign on to the notion that a business unit should pay for its security initiatives, it becomes much easier to float that idea in the future. It's also much easier to then sell the cost of the program to the business unit with the CFO's seal of approval.

That strategy requires a particular delicacy, especially in companies where the security budget has increased but where budgets for operating units have remained flat. Bacon expects a 15 percent to 20 percent increase in his budget for security equipment, although the corporate stance is flat on business unit budgets and staffing across the board. That, he says, places an even greater pressure on security to justify the dollars it gets while asking business units to invest in security as well. 3 Practice Pavlovian Security CSOs can save themselves considerable security budget wrangling when they lean on policies, procedures and behavior modification techniques instead of expensive technology solutions. "Nine times out of 10, policy changes are more valuable than a financial expenditure," says Bacon. Instead of hiring guards and putting in an expensive card access control program, try locking a door or putting up a wall. If policy changes are your weapon of choice, work with HR to put in consistent penalties for the petty but pernicious offenses of letting unauthorized people through access controlled doors or propping a door open with a trash can.

Paul Viollis, a 22-year veteran of law enforcement and security and author of Jane's Workplace Security Handbook (Jane's Information Group, 2002), postulates that the greatest "technology" available to the security organization is one that is inexpensive yet generally ignoredthe power of corporate culture in achieving good security. "The most cost-effective way for any organization to allocate resources to security is to reengineer the culture of the company," says Viollis. "Training employees to be aware of security risks and how to handle them is far more effective than throwing money at a security front that isn't properly enforced."

And training doesn't have to be expensive. At Textron, Avesian's team created and launched an internal website devoted to security awarenessThe Textron Information Security intranet. The site's content is focused on the employee and contains security policy dos and don'ts. Avesian's barometer for what to put on the site was based on a simple question: "If I had only so much time to spend with each employee, what would I want them to them to take away from the conversation?" The result is a synopsis of the corporate security policies and guidelines that appears in seven languages on the site so that offices across the world can access them, as well as disaster recovery templates, frequently asked security questions, and security tips and tricks (such as a guide to creating secure passwords).

As a general rule, spending a little money up front to enforce a policy is usually cheaper than brazening out the potential long-term financial risks of doing nothing. Investing in enforcement mechanisms such as CCTV cameras at doors, for example, can help access control problems, will be cheaper than hiring guards and might even negate the potential financial liability that could be incurred if lax access control ever led to a serious security incident. When Mark Burnette first joined Willis Group as the global information security officer, he found that the company had plenty of good security policies but was lacking the necessary enforcement. "You can write a fantastic policy," he says, "but it only works if you enforce it and audit it." He updated the company's password policy to require more secure passwords, but the operating system at the time didn't provide any way to technically enforce it. Setting a secure password policy with no enforcement mechanism would have been pointless, so Burnette installed an add-on system component that would allow them to enforce it. 4 Become a Fast Follower Security is one area where there is no prize for first place. That's especially true when CSOs waste their budgets on new technologies that aren't quite ready for prime time. Being the first CSO to implement a brand-new technology might earn you the envy of your peers, but it probably won't get you the admiration of your CFO.

CSOs trying to stretch budgets should leave the technology heroics to others. Which doesn't mean you have to lead a new Luddite movement. At PPG, Becker lets other companies be the technology guinea pigs. "We like to think of our ourselves as fast followers," he says. "We don't jump in too early with most technologies; in fact, it's rare that we're ever a technology leader." Becker prefers to wait until the kinks have been worked out, after others have learned the hard lessons. Then he benefits from their experience when he feels the technology is ready. "I would never be comfortable pitching a biometrics application," he says by way of example. "We go with the sound, long-term, successful optionsin this case, closed-circuit TV and access control." That might sound a little dull, but it's certainly preferable to the excitement of having to explain to the board of directors why the expensive biometrics application you purchased last year didn't work out.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)