Security Budgets: Money Well Spent

When it comes to security budgets, less can be more. Here are seven tips for discovering how to squeeze every bit out of yours.

1 2 Page 2
Page 2 of 2

Free network scanning tools and open-source software can be tempting ways to increase security for CSOs who are looking to cut back expenses. Steve Katz, former CISO with Citigroup and Merrill Lynch, and current president of Security Risk Solutions, says that tight budgeting has led more than a few CSOs to turn to "free" tools. But he cautions security execs from blindly falling prey to their lure. "You'd better really know what's going on in that thing, and you'd better use a good code analysis tool," says Katz. "When you use tools like that, you may end up sleeping like a baby," he says sarcastically. "You get up every two hours and cry." 5 Communicate Early and Often CSOs may be good at talking with their teams, but when it comes to their executive peers, they're typically not as skilled. That only makes the task of budget planning harder because poor communication means that the security team doesn't know what business units have in the works and which projects will require security attention and expenditure in the coming year. "The security guys are often out of touch," notes Whit Diffie, CSO of Sun Microsystems. "In the long run, cost savings are going to be a function of better communication."

At Willis, one of the effective techniques Burnette has found for making sure that security is brought into the loop is the power of choice. Interaction with security is much more appealing for businesspeople when they have some control over what kind of security controls are going to be put in. Business units used to come to Burnette's security group with their projects nearing completion and ask for the cheapest solution possible. But now they come to security much earlier. Burnette lays out options for them in all price ranges. "We can put in this security, which is the Cadillac, or we can put in the Corvette or the Pinto version," he says. "I lay out the options, the cost and the risk and let business make an informed decisionand you know, they never choose the Pinto."

Most CSOs know by now that they have to be able to speak in business lingo in order to be successful, but budget issues are an area where this can be especially helpful. "We try to put [security] in business terms, and we outline it as we would any other cost benefit," Burnette says. "You have to think like they think, prove it, explain the risks, benefits and payback, and explain how it benefits their business bottom-line." Security doesn't have to make moneymost of the time it'll be a cost. But when making a request for funding, CSOs are often afraid to actually talk about money. They are in their element talking about the technology, but after business execs hear the words "robust and scalable" for the third time, their eyes glaze over and they're thinking about how they shanked the ball on the 14th hole. Instead, talk about the financial benefits of the investment you'd like business to make. An improved access control system can be tied to a reduction in theft losses at a facility, and an upgraded firewall can be translated into improved network uptime and a drop off in nuisance viruses. 6 Believe in Vendors OK. So, right now you're raising a single eyebrowmaybe bothand asking "When has a security vendor ever saved me money?" Probably never, we know, because most CSOs treat vendors like an opposing combatant in battle who just happened to end up in the same trench. But, if you turn those arm's-length relationships into strategic partnerships, you can squeeze a much greater benefit out of the money you're already paying them and offload security tasks that you don't have the budget to do in-house.

Try challenging your vendors to deliver more value for the exorbitant prices you're paying. "Push as much as you can onto vendors, and use their resources as an extension of your programs," suggests Bacon.

Avesian has formed strong relationships with his third-party providers, AT&T and IBM, and calls it a "real" partnership, as opposed to the kind that you hear about in a press release or advertisement. Representatives from IBM and AT&T are members of Avesian's security leadership team, and he goes to them for just about everything security-related, whether or not it falls within the delineation of their contract. He's had IBM host a disaster recovery workshop at Textron, runs security policies by them and has visited their security operations facility in Boulder, Colo., to see new technologies and further his own security education.

But as everyone knows, security vendors can also be indifferent partners to say the least. CSOs can sometimes save money and achieve a higher quality of service if they are able to redeploy their own internal resources to accomplish a task. At PPG Industries, Becker has been frustrated with the level of reliability and service of their access control vendor and is examining strategies in that area and others to eliminate service agreements and bring some functions back in-house. "It's tough to get attention when there are just a few big players in the market," complains Becker. PPG is already successfully relying on its technical staff in its R&D business centers to do more and more of the general security tech support. 7 Use People, in a Good Way When budgets tighten, the security organization's staff often falls under the scrutiny of business leaders eager to cut costs. While CSOs hate to lose their employees, the justification has to be there for each person on the payroll. At Avaya, Allison looks for ways to get value out of every member of her team. "There's a tendency to cut back on staff, and they really are the biggest investment that you have," she says. As in any industry, the younger employee is cheaper, but in security, youth is no match for experience. "I may have a young investigator and an old investigator, but the older guy can get that confession on the table," says Allison. Instead of teaching old dogs new tricks, Allison's strategy is to let the old dogs and the young dogs run together and learn from each other.

The importance of keeping skilled employees over cheaper, inexperienced labor is seconded by Stephen Baker, vice president and manager of corporate security at State Street Corp. "I would rather pay more money and have less officers than have a whole bunch of officers that don't know what they're doing," he says. "I want the ex-military guy that knows when to ask questions, and I think that's a lot more valuable than a high school student on a learning curve."

One area that most CSO agree is ripe for finding cost savings is in guard contracts. "Everybody spends millions on guards whose contracts must be continually reassessed," says Bacon. That's challenging because, as he points out, guards become "an emotional fixture." Even in cases where they are not adding enormous concrete value, people perceive a greater sense of security because of their presence. Bacon has used technology to reduce some of those guard costs with the integration of access control, CCTV and digital video systems to remotely monitor sites.

Automation of tasks such as patching software can also produce tremendous cost savings. When the Blaster worm started making its rounds, the security team at Willis had to manually patch the software on many of its machines as well as get on the phone to offices around the world to walk them through the patching process. It was a successful effort, but Burnette estimates that the task took his team the equivalent of about 200 workdays to accomplish. It clarified the importance of automating patching as well as other rote tasks that zap his organization's time and funding.

Deputizing individuals in other business units to act as ad hoc security personnel is another effective strategy that CSOs use to expand their security staff without stretching their budgets. At PPG, Becker utilizes the human resources and health and safety individuals at some remote locations as his onsite security people. "If you can increase the amount of time someone spends on security by 5 percentthat's a free-to-me cost savings," he says. Bacon does the same thing by treating security as a team sport and relying on multiple business units to complete a project. "They don't work for us, and we don't work for them," he says. "But we use four to five business lines to complete a projectanother reason that our funding efforts are successful." When Bacon makes a presentation, it's not just his name on the bottom line, it's a team effort.

CSOs need to be able to speak the business language; they should make their security decisions based on the business fundamentals of risk and ROI. Nowhere is that more important than in the budgeting process, where CSOs need to be able to weigh cuts and expenditures with the clear-eyed steadiness of a CFO. "Typically, the average life of a CSO at a company is something like 18 months," says Allison. "During the first six months, they ask for the moon, and by the last six months they probably don't get anything. That's not a casual effect," she adds. "It points to the lack of business skills needed to get the budget through."

CSOs who learn to marry an intelligent evaluation of where to cut with some of the softer business skills and techniques needed to make a compelling case for funding are destined to be the real players within their companies.

Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline