• United States



by CSO Contributor

Defending Your Budget

Feb 01, 20033 mins
CSO and CISOData and Information Security

Q: I am finding that security must be sold to board members in terms of the opportunity cost versus the cost of not doing it. Unfortunately, things need to be communicated with respect to their impact on bottom-line growth these days. Do you have any suggestions on how to communicate security budget needs effectively?

A: The downside costs of not having a stated, sustained IT security program are greater now than ever. Corporate officers are expected to exercise “due care” with respect to protecting the assets of the organization. Information is one of the largest assets that many organizations have. Before convincing the board of directors of the need for security funding, your corporate officers need to be aligned with your proposed strategy.

Have you gone through the exercise of identifying your company’s core systems and data? Once that is identified, place a dollar value on what the cost would be to have this information in the wrong hands (disgruntled employee, ex-employee, data broker, competitor). Focus on the desired end-results and place a value on these items (reputation, revenue growth, retained earnings). This too will factor into understanding how much to spend on security and where to focus your spending. With that information in hand you can begin to craft a reasonable, sustainable security strategy. Draft a three- to five-year security road map that clearly depicts what you plan to do, why you propose doing so and what the risks are of not moving ahead.

Board members understand the concepts around mitigating controls and risk management. Begin to think and speak in those terms. Accountability is of the utmost importance on the mind of board members, C-level officers and auditors. A company without a documented, funded and sustained program around information protection is engaged in risky business.Q: How do you convince the board not to slash your security budget when you haven’t had any security breaches, and, because of that, they feel like less money can be put toward security?A: First of all, I applaud you and your teamit seems as though you have found the optimal balance between security and business productivity in your environment. The core function of IT security is to protect the company’s critical data and its information assets. Since total protection is not possible, I suspect that there are chinks in the armor somewhere. All your security tools and programs require refreshing and updates. The core infrastructure team must keep pace with technology so that you can provide the most up-to-date protection to them as well. All of that costs money. I suggest a security scorecard that depicts your core business areas, the security technologies, the awareness programs and the percentage of compliance that each has.

In this time of heightened regulatory and compliance responsibility, most companies find themselves under scrutiny by government agencies, clients or third-party business partners. As you renew contracts, you will find more and more language about your security practices included, plus requests for statements of policy, practice and technology strategy.

Looking ahead, that trend will continue and those groups will seek formal assurance and verifiable proof of your policies and practices while handling their business. The services around hiring a third party to assess and certify your security practice, contracting for a SAS-70 or other security audits are fairly expensivetypically fees start at about $70,000.

Due care and due diligence are in order regardless of the line of business you are in. Finally, I might suggest discussing your concerns with your colleagues in compliance, audit and legal; you might find some interesting perspectives to help build your case.