Security Budgets: Money Well Spent

Except for the bone-crushing hits and the chop blocks, security isn’t all that different from professional football. Really. Compare, for instance, your security budget with the annual salaries of professional football players. You’ll find that both are based on tangible and intangible valuations. The salary paid to an NFL player is based largely on the stats of his gridiron performance—the number of sacks, rushing yards or touchdowns—and it will determine whether he can afford to buy The Hummer or will have to cheap out on a Land Rover Discovery. But there are other, softer factors reflected within all those zeros, like the player’s marquee value, the number of kids who want to wear his jersey, and his leadership on and off the field.

Similarly, the security budget outlines the basics of how much staff the CSO can afford, the system upgrades that he can make and the new technologies that he can invest in. But it also takes into consideration some squishier facts about the security organization—its perceived value within the corporation and the respect accorded to the CSO and his abilities.

The big difference? In NFL contract disputes, when players say it’s not about the money, it’s usually about the money. When they say that it is about the money, it’s really about respect. But for CSOs trying to eke every penny out of their security budgets, it’s about both.

For many CSOs, their departments’ cost-center status is not just an accounting designation, it’s a state of mind. The good news is that the CSO is no longer the corporation’s poor relation. Many say that their budgets have increased—even in some cases where funding for their business counterparts remained flat. Research findings confirm those anecdotal reports. In a worldwide study conducted by CIO (CSO’s sister publication) and PricewaterhouseCoopers released in October of this year (see “The State of IT Security 2003,” October), approximately 7,500 CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security were polled on their security spending habits. When asked to compare their 2003 security budgets with 2002, 45 percent of the survey’s respondents indicated that their budgets would increase a little, with 17 percent claiming that the increase would be significant. Only 8 percent of respondents said that their budgets would decrease.

It turns out that increasing funding is not just a wish or a goal for the CSO, it’s a strategic initiative. A full 30 percent of respondents reported that one of their top strategic objectives is to expand that budget even more. When respondents were asked what factors presented a barrier to good security measures at their organizations, a limited budget far outweighed any other response.

But the reality for CSOs is that no matter the size of the security budget, it never seems adequate when weighed against the growing risks and responsibilities they need to tackle. “Is it enough?” asks Greg Avesian, vice president of enterprise infrastructure and security for Textron, where the security budget increased this year. “It’s never enough. I have to make the most efficient use of those valuable dollars.”

We asked CSOs to share with us their strategies for making the most of their security budgets, and we gleaned their advice on the best, and worst, areas to make cuts.1 Be the Chief Self-Esteem Officer Think of it as taking a Stuart Smalley moment. Recalling the Saturday Night Live therapist who began each skit with his daily affirmation, CSOs are good enough, smart enough and, doggone it, people like them. So have the confidence in your own judgment, and push back for funding when it’s necessary.

To many, CSOs are the guys who step in at the last minute and delay business-critical projects by adding expensive controls of which only they can see the value. Many suspect that their peers have internalized those perceptions, affecting their ability to push through the funding for necessary initiatives.

And because they often have military and law enforcement backgrounds, CSOs also tend to be individuals who have a great deal of respect for authority, says Marene Allison, director of global security for Avaya. “In many situations, the security person is used to being compliant, and I sometimes think we need to learn to be a little more aggressive, to toot our own horns a bit more,” she says. That doesn’t mean getting in the face of every executive who disagrees with you. “You don’t want it known that the security director took down some executive over business continuity planning,” she cautions, but CSOs have to be more forceful about pushing back on important budget issues instead of taking “no” as the last word.

Regis Becker, global director of security and compliance for PPG Industries and former president and chairman of ASIS International, was actually reprimanded early in his PPG career for being too compliant. “I have a law enforcement background, and I was told that I had an almost unhealthy respect for hierarchy,” he says. Becker’s manager at that time told him that he was too deferential to the chain of command and suggested that if he had a funding request he felt was critical, he should take it straight to the CEO and dispense with the often fruitless process of bouncing the initiative off a succession of underlings.

On the flip side, CSOs as a group can also be prone to overreaction. Post-9/11, some CSOs took advantage of the loosened security purse-strings. “A lot of folks don’t take the process seriously enough. They’re too quick to judge,” says Michael Bacon, vice president and corporate security manager at Wells Fargo. Bacon notes that after 9/11, his team didn’t run straight to management clamoring for more funding; instead, he put management on notice. “We said, ‘We will be coming to you, but first we’re going to do a thorough assessment of our needs.’ We focused on quality versus speed.” The only people who usually benefit from a knee-jerk emotional reaction to a security event are the vendors. Remember: When pursuing budget dollars, CSOs need to be calm, deliberate and forceful.2 Don’t Pass the Buck, Pass the Check Another strategy for cost savings is to look at exactly what is included in the budget. Are there projects and programs that shouldn’t be there? “Security organizations often pay for big corporate programs that should be moved into a business unit’s budget,” says Bacon. At Wells Fargo, the security group looks for opportunities to farm those expenditures back out to the business units. They are, after all, the beneficiaries of many of these security programsthey just don’t realize it yet. This is often due to a poor sales job on the part of the security team. CSOs must do the legwork of selling business units on the benefits of new security technologies and programs, and that can be hard for an organization that tends to be autocratic with its peers. When successful, however, it’s an effort that quite literally pays for itself.

Bacon finds that an effective technique for getting the business side to pay for a security initiative is to take his argument to finance before trying to sell it to the individual business unit. “For CFOs, consistency is king,” says Bacon, who notes that once you get the financial folks to sign on to the notion that a business unit should pay for its security initiatives, it becomes much easier to float that idea in the future. It’s also much easier to then sell the cost of the program to the business unit with the CFO’s seal of approval.

That strategy requires a particular delicacy, especially in companies where the security budget has increased but where budgets for operating units have remained flat. Bacon expects a 15 percent to 20 percent increase in his budget for security equipment, although the corporate stance is flat on business unit budgets and staffing across the board. That, he says, places an even greater pressure on security to justify the dollars it gets while asking business units to invest in security as well. 3 Practice Pavlovian Security CSOs can save themselves considerable security budget wrangling when they lean on policies, procedures and behavior modification techniques instead of expensive technology solutions. “Nine times out of 10, policy changes are more valuable than a financial expenditure,” says Bacon. Instead of hiring guards and putting in an expensive card access control program, try locking a door or putting up a wall. If policy changes are your weapon of choice, work with HR to put in consistent penalties for the petty but pernicious offenses of letting unauthorized people through access controlled doors or propping a door open with a trash can.

Paul Viollis, a 22-year veteran of law enforcement and security and author of Jane’s Workplace Security Handbook (Jane’s Information Group, 2002), postulates that the greatest “technology” available to the security organization is one that is inexpensive yet generally ignoredthe power of corporate culture in achieving good security. “The most cost-effective way for any organization to allocate resources to security is to reengineer the culture of the company,” says Viollis. “Training employees to be aware of security risks and how to handle them is far more effective than throwing money at a security front that isn’t properly enforced.”

And training doesn’t have to be expensive. At Textron, Avesian’s team created and launched an internal website devoted to security awarenessThe Textron Information Security intranet. The site’s content is focused on the employee and contains security policy dos and don’ts. Avesian’s barometer for what to put on the site was based on a simple question: “If I had only so much time to spend with each employee, what would I want them to them to take away from the conversation?” The result is a synopsis of the corporate security policies and guidelines that appears in seven languages on the site so that offices across the world can access them, as well as disaster recovery templates, frequently asked security questions, and security tips and tricks (such as a guide to creating secure passwords).

As a general rule, spending a little money up front to enforce a policy is usually cheaper than brazening out the potential long-term financial risks of doing nothing. Investing in enforcement mechanisms such as CCTV cameras at doors, for example, can help access control problems, will be cheaper than hiring guards and might even negate the potential financial liability that could be incurred if lax access control ever led to a serious security incident. When Mark Burnette first joined Willis Group as the global information security officer, he found that the company had plenty of good security policies but was lacking the necessary enforcement. “You can write a fantastic policy,” he says, “but it only works if you enforce it and audit it.” He updated the company’s password policy to require more secure passwords, but the operating system at the time didn’t provide any way to technically enforce it. Setting a secure password policy with no enforcement mechanism would have been pointless, so Burnette installed an add-on system component that would allow them to enforce it. 4 Become a Fast Follower Security is one area where there is no prize for first place. That’s especially true when CSOs waste their budgets on new technologies that aren’t quite ready for prime time. Being the first CSO to implement a brand-new technology might earn you the envy of your peers, but it probably won’t get you the admiration of your CFO.

CSOs trying to stretch budgets should leave the technology heroics to others. Which doesn’t mean you have to lead a new Luddite movement. At PPG, Becker lets other companies be the technology guinea pigs. “We like to think of our ourselves as fast followers,” he says. “We don’t jump in too early with most technologies; in fact, it’s rare that we’re ever a technology leader.” Becker prefers to wait until the kinks have been worked out, after others have learned the hard lessons. Then he benefits from their experience when he feels the technology is ready. “I would never be comfortable pitching a biometrics application,” he says by way of example. “We go with the sound, long-term, successful optionsin this case, closed-circuit TV and access control.” That might sound a little dull, but it’s certainly preferable to the excitement of having to explain to the board of directors why the expensive biometrics application you purchased last year didn’t work out.

Free network scanning tools and open-source software can be tempting ways to increase security for CSOs who are looking to cut back expenses. Steve Katz, former CISO with Citigroup and Merrill Lynch, and current president of Security Risk Solutions, says that tight budgeting has led more than a few CSOs to turn to “free” tools. But he cautions security execs from blindly falling prey to their lure. “You’d better really know what’s going on in that thing, and you’d better use a good code analysis tool,” says Katz. “When you use tools like that, you may end up sleeping like a baby,” he says sarcastically. “You get up every two hours and cry.” 5 Communicate Early and Often CSOs may be good at talking with their teams, but when it comes to their executive peers, they’re typically not as skilled. That only makes the task of budget planning harder because poor communication means that the security team doesn’t know what business units have in the works and which projects will require security attention and expenditure in the coming year. “The security guys are often out of touch,” notes Whit Diffie, CSO of Sun Microsystems. “In the long run, cost savings are going to be a function of better communication.”

At Willis, one of the effective techniques Burnette has found for making sure that security is brought into the loop is the power of choice. Interaction with security is much more appealing for businesspeople when they have some control over what kind of security controls are going to be put in. Business units used to come to Burnette’s security group with their projects nearing completion and ask for the cheapest solution possible. But now they come to security much earlier. Burnette lays out options for them in all price ranges. “We can put in this security, which is the Cadillac, or we can put in the Corvette or the Pinto version,” he says. “I lay out the options, the cost and the risk and let business make an informed decisionand you know, they never choose the Pinto.”

Most CSOs know by now that they have to be able to speak in business lingo in order to be successful, but budget issues are an area where this can be especially helpful. “We try to put [security] in business terms, and we outline it as we would any other cost benefit,” Burnette says. “You have to think like they think, prove it, explain the risks, benefits and payback, and explain how it benefits their business bottom-line.” Security doesn’t have to make moneymost of the time it’ll be a cost. But when making a request for funding, CSOs are often afraid to actually talk about money. They are in their element talking about the technology, but after business execs hear the words “robust and scalable” for the third time, their eyes glaze over and they’re thinking about how they shanked the ball on the 14th hole. Instead, talk about the financial benefits of the investment you’d like business to make. An improved access control system can be tied to a reduction in theft losses at a facility, and an upgraded firewall can be translated into improved network uptime and a drop off in nuisance viruses. 6 Believe in Vendors OK. So, right now you’re raising a single eyebrowmaybe bothand asking “When has a security vendor ever saved me money?” Probably never, we know, because most CSOs treat vendors like an opposing combatant in battle who just happened to end up in the same trench. But, if you turn those arm’s-length relationships into strategic partnerships, you can squeeze a much greater benefit out of the money you’re already paying them and offload security tasks that you don’t have the budget to do in-house.

Try challenging your vendors to deliver more value for the exorbitant prices you’re paying. “Push as much as you can onto vendors, and use their resources as an extension of your programs,” suggests Bacon.

Avesian has formed strong relationships with his third-party providers, AT&T and IBM, and calls it a “real” partnership, as opposed to the kind that you hear about in a press release or advertisement. Representatives from IBM and AT&T are members of Avesian’s security leadership team, and he goes to them for just about everything security-related, whether or not it falls within the delineation of their contract. He’s had IBM host a disaster recovery workshop at Textron, runs security policies by them and has visited their security operations facility in Boulder, Colo., to see new technologies and further his own security education.

But as everyone knows, security vendors can also be indifferent partners to say the least. CSOs can sometimes save money and achieve a higher quality of service if they are able to redeploy their own internal resources to accomplish a task. At PPG Industries, Becker has been frustrated with the level of reliability and service of their access control vendor and is examining strategies in that area and others to eliminate service agreements and bring some functions back in-house. “It’s tough to get attention when there are just a few big players in the market,” complains Becker. PPG is already successfully relying on its technical staff in its R&D business centers to do more and more of the general security tech support. 7 Use People, in a Good Way When budgets tighten, the security organization’s staff often falls under the scrutiny of business leaders eager to cut costs. While CSOs hate to lose their employees, the justification has to be there for each person on the payroll. At Avaya, Allison looks for ways to get value out of every member of her team. “There’s a tendency to cut back on staff, and they really are the biggest investment that you have,” she says. As in any industry, the younger employee is cheaper, but in security, youth is no match for experience. “I may have a young investigator and an old investigator, but the older guy can get that confession on the table,” says Allison. Instead of teaching old dogs new tricks, Allison’s strategy is to let the old dogs and the young dogs run together and learn from each other.

The importance of keeping skilled employees over cheaper, inexperienced labor is seconded by Stephen Baker, vice president and manager of corporate security at State Street Corp. “I would rather pay more money and have less officers than have a whole bunch of officers that don’t know what they’re doing,” he says. “I want the ex-military guy that knows when to ask questions, and I think that’s a lot more valuable than a high school student on a learning curve.”

One area that most CSO agree is ripe for finding cost savings is in guard contracts. “Everybody spends millions on guards whose contracts must be continually reassessed,” says Bacon. That’s challenging because, as he points out, guards become “an emotional fixture.” Even in cases where they are not adding enormous concrete value, people perceive a greater sense of security because of their presence. Bacon has used technology to reduce some of those guard costs with the integration of access control, CCTV and digital video systems to remotely monitor sites.

Automation of tasks such as patching software can also produce tremendous cost savings. When the Blaster worm started making its rounds, the security team at Willis had to manually patch the software on many of its machines as well as get on the phone to offices around the world to walk them through the patching process. It was a successful effort, but Burnette estimates that the task took his team the equivalent of about 200 workdays to accomplish. It clarified the importance of automating patching as well as other rote tasks that zap his organization’s time and funding.

Deputizing individuals in other business units to act as ad hoc security personnel is another effective strategy that CSOs use to expand their security staff without stretching their budgets. At PPG, Becker utilizes the human resources and health and safety individuals at some remote locations as his onsite security people. “If you can increase the amount of time someone spends on security by 5 percentthat’s a free-to-me cost savings,” he says. Bacon does the same thing by treating security as a team sport and relying on multiple business units to complete a project. “They don’t work for us, and we don’t work for them,” he says. “But we use four to five business lines to complete a projectanother reason that our funding efforts are successful.” When Bacon makes a presentation, it’s not just his name on the bottom line, it’s a team effort.

CSOs need to be able to speak the business language; they should make their security decisions based on the business fundamentals of risk and ROI. Nowhere is that more important than in the budgeting process, where CSOs need to be able to weigh cuts and expenditures with the clear-eyed steadiness of a CFO. “Typically, the average life of a CSO at a company is something like 18 months,” says Allison. “During the first six months, they ask for the moon, and by the last six months they probably don’t get anything. That’s not a casual effect,” she adds. “It points to the lack of business skills needed to get the budget through.”

CSOs who learn to marry an intelligent evaluation of where to cut with some of the softer business skills and techniques needed to make a compelling case for funding are destined to be the real players within their companies.