Hey, CSOs: Suck it up and accept budget cuts

Here at CSOonline, we’ve been taking a hard look at (what often seems to be) the great divide between business leadership and IT security, and how security teams are often out of step — and touch — with the rest of the business.

Some of the recent coverage includes “Cut The Security Jargon“, “The Business/Security Disconnect that Won’t Die” and this week’s “Are You an IT Security Leader, Really?“

For ideas on how IT security pros might be able to close the communication gap with business leaders, we turned to Eric Cowperthwaite, chief information security officer of Renton, Washington-based Providence Health & Services.

With 28 hospitals, Providence has more than 50,000 employees located in Washington, Oregon, California, Alaska and Montana. Cowperthwaite has more than 25 years of experience in security & risk management, in both military and civilian organizations. He also knows something about what it’s like to be found in violation of security regulations and what’s necessary to fix it.

CSO: A lot of organizations are pulling back on their security spending and the reason for the cuts is often said to be because of the economy. Do you think they’re cutting security specifically, or are the cuts a reflection of fewer IT deployments, so IT security is shrinking because the overall IT spend is shrinking?

Eric Cowperthwaite: I think that overall IT investments are flat to down in many organizations. I would also argue that for a decade IT security has been given carte blanche increases in their budgets. And when the financial meltdown hit, COOs and CFOs looked at that IT security spending and said, “You know what? All the rest of our business has to live within a budget that makes sense and they have to demonstrate value: How about if you did the same?” Also, many IT groups within businesses have had to take across-the-board hits, and so did IT security for the first time in a decade.

Many IT security managers whined about the cuts and don’t think they are necessary, and possibly downright dangerous. I think they are clearly on the wrong side of the argument and reacting in the wrong way.

Some CSOs say that IT security has been underfunded long-term, and that the increases in spending were, or are still, needed to catch-up to where they need to be. With that argument in mind, how do you think they should be reacting?

Cowperthwaite: They should be reacting by saying, “I agree. I need to take a five percent cut just like the rest of the company and still figure out how to do my job just as well as I did it yesterday, if not even better.” The heads of various business units are not saying, “Hey, sorry boss, I can’t cut my budget. I don’t care if revenue fell. The fact is that the days of just throwing money at the security problem are over, which I think is a good thing because just throwing tech at the problem hasn’t worked. More broadly, however, what has happened simultaneously during the decade of almost unlimited expansion of security budgets, we also had 10 years of promoting people into information security leadership positions who weren’t groomed as business leaders.

That creates an entirely different gap from the budget. What do you see as some of the more common business leadership skills that are lacking among security managers?

Cowperthwaite: Management abilities, communication skills and the ability to continuously improve efficiency and effectiveness. Too many security folks today view improving their effectiveness as buying another tool or hiring another person. However, it’s the generals who are always complaining that they don’t have enough that typically get fired. The thing you’ve got to do is help the business leaders understand IT risks, and how they can be better managed, and demonstrate the value they provide.

Those who have trouble doing this should look at those who successfully lead corporate information security programs and ask at why they’re successful. Why is it that some CISOs get access to the board of directors and others do not? Don’t say it’s because the company doesn’t care about security, because I guarantee your CEO does care about information security.

Many security professionals contend that business leaders don’t understand security, and that they can’t get executives to pay attention to the risks.

Cowperthwaite: It’s the security pro’s job to help business leaders understand the risks and how IT security can mitigate risk and protect the business. But most security pros are too technical. And I have a feeling SQL injection and man-in-the-middle attacks shouldn’t be a part of the presentation. However, if you can’t demonstrate the risks to the business, then maybe you shouldn’t be in that role. They don’t want to hear about the technical details. They expect you to know about those things and talk to your technical folks about those things.

They want to hear from you about how preventing malicious access is an issue that they need to deal with. They want to hear how you can actually reduce the operating expense of the company related to security incidents by doing X, Y, and Z. Remember, a security incident hits operating expenses and it’s unplanned, which means that it comes directly out of net operating income. If you have a security incident happen, that is almost certainly going to impact your quarterly earnings statement, and your CFO very much cares about that.

So if you can show your CFO that last quarter these are the security events that happened, and here’s how much they cost, and they were a hit to net operating income you’ll have their attention. They also will then be more willing to hear about things you are doing to reduce the costs of such breaches in the future. And if you do need more tools or organizational changes to get it done, you’ve just made a strong business case.

Your CFO and management are going to listen to these arguments. Also, when possible, show how any efficiencies could be replicated through other divisions. That’s the way to communicate with people in business. Not: hey we need to put in Data Loss Prevention because the federal government says that we have to encrypt all Social Security numbers. There’s a bazillion parts of the company that have to do things because of regulations. So what? Go do it. Why are you telling me about it? Why do I care?

And if the business executives really don’t care about security, maybe it’s not their fault, maybe IT security needs to do its job of communicating risk to them more clearly and effectively.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.