This article can also be found in the Premium Editorial Download "Information Security magazine: Dollars and sense: Getting the security budget you need -- and spending it wisely."
Download it now to read this article plus other related content.
Chief Information Security Officer, Motorola
Chief Information Security Officer, PepsiCo
Chief Information Security Officer, Centers for Disease Control and Prevention
Director, Global Information Security, Pershing LLC
INFORMATION SECURITY MAGAZINE (ISM): Lack of security budget is often cited as an obstacle to effective IT security. Is this a reality, or are we just not spending money on the right things?
PALMA: I think some people have the wrong mind-set. Whenever you position security as a silo--a specific technology or product solution--it's very difficult to increase overall funding. Regardless of what your business is, you have to make a direct connection between information security and the business needs.
BONI: I agree, and one of the reasons that mind-set is so common is that security is often characterized in binary terms: "I need to be absolutely sure I've eliminated X risk." But security isn't an absolute. It's about defining acceptable levels of risk to your business so you're able to justify spending accordingly.
MADDEN: One of the problems with getting budget for cybersecurity is assigning metrics. Management likes to understand what they're getting for their buck. I've had a great deal of difficulty demonstrating what we get from a "metrics perspective" when I buy, say, a $100,000 firewall. I can show them the threat, and I can show them the vulnerability, and I can show them what's happened to companies that haven't addressed the risk. But as far as it being a true metric, I don't know how to do that.
If you're going to hold someone accountable for security, he's got to have his hands on the purse strings. It's very hard to say, 'You're responsible for this, but we're not giving you any budget authority.'
Thomas Madden, CISO, Centers for Disease Control and Prevention
ISM: This is an important point. Lately, we've heard a lot about "return on security investment." ROI is used in a lot of other areas in business to qualify and explain expenditures. Yet some would argue that security is more like air conditioning, and we don't try to calculate ROI on air conditioning...
AXLEROD: ROI is meaningful on a relative basis, but not on an absolute basis. Security should be held to a "pseudo-ROI" because the intangible benefits are much more difficult to measure than the costs. ROI should be used to prioritize activities and projects, and to assign budget to them.
BONI: ROI-type analysis is useful for identifying or justifying incremental investment or spending on new risk areas. But it's only useful once you've reached a basic level of hygiene. Additional spending requests should be made using a business case analysis that outlines a positive ROI.
ISM: Should a CISO be responsible for approving an organization's infosecurity budget? Or should somebody else, like the CIO?
PALMA: It's very important that the CISO has some autonomy from the CIO. CISOs should have the latitude to approve budgets and work on projects they perceive as critical to the company's information security.
MADDEN: If you're going to hold someone accountable for security, he's got to have his hands on the purse strings. It's very hard to say, 'You're responsible for this, but we're not giving you any budget authority.'
ISM: But that's easier said than done. How can CISOs convince the check-signers in the organization to give them budget authority?
MADDEN: You have to have the right leadership structure to be effective. If you don't, you don't have much chance for success. Until recently, I worked at a Department of Energy weapons production facility, where security is baked into every process. Now, maybe they take security a little more seriously than at a commercial enterprise. But I had the authority to, in essence, veto a business process that the CIO wanted until it met our security requirements. If the CIO felt strongly enough that his business case superseded my security case, then the senior manager at the site would step in and arbitrate. In any case, security was separate from the CIO, and I think that's important.
ISM: We're now 18 months removed from 9/11. In retrospect, what impact did 9/11 have on security budgets?
AXLEROD: Well, it depends what you include in the security budget. In many organizations, areas such as physical security, business continuity, disaster recovery and human security are separate from the information security budget. Those departments have security and security spending imbedded in their projects. So, the actual centralized corporate information security budget isn't a large item, because we're performing more of a policy coordination and communication function. In terms of 9/11 itself, the impact on financial services was that there was a much greater focus on business continuity and disaster recovery, which is ongoing. And so money in those areas went up considerably.
ISM: That brings up an important question: Should business continuity and disaster recovery be integrated with or separated from IT security?
PALMA: Digital risk management spans the entire company, from the legal division to human resources. It touches everyone in today's environment. So I think you've got to come at this issue from a cross-functional perspective, and that includes cross-functional funding and strong cooperation in the enterprise among security, business continuity planning, disaster recovery, legal, etc.
BONI: One of the things I've always found is that business continuity and disaster recovery are absolutely essential in helping to identify and prioritize the company's most valuable assets. In terms of "selling" security, it's always easier to talk to management about the risk of fire, flood, civil unrest and, now, physical terrorism. Even a manager who has no experience in IT understands those issues.
MADDEN: No part of security can stand alone. I sense that disaster recovery, physical security, information security, operation security, personnel security--they all have to be constantly talking to each other.
ISM: How do you make sure that you don't have budget or responsibility overlap in those areas?
MADDEN: You may, in fact, have budget overlap. Again, this is where communication comes into play. Let's say I have a system where I would need $10,000 to install some form of access control, or I can get my physical security counterparts to install four floor-to-ceiling walls and a door for $1,000. I'd be foolish to spend the $10,000. This is where you have to talk to the physical security guys to make sure you're not going at cross-purposes. These decisions should be made on the basis of, "How much does it cost and what do we get for the money?"
It's extremely important to get the organization's sponsors--particularly in the business units--on board in the budget decision-making process. If they're involved from the start, they'll support security going forward.
Warren Axelrod, Director, Global Information Security, Pershing LLC
BONI: When you start talking about convergence of these functions, the challenge is to make sure it doesn't turn into a turf war. You have to recognize the opportunity for significant gains in efficiency, effectiveness and cost reductions. Those kinds of convergence projects are going to lead to closer alignment--and in some cases, perhaps full-on assimilation into a common corporate risk management entity.
AXLEROD: I think information security can provide a supportive and a sponsoring role to physical security, DR and so on. The skills and knowledge required in each area are very different. But as physical and human resources security become more integrated on a technology platform, there has to be increased overlap and much more cooperation between the different functions.
ISM: The organizations represented on this roundtable--Pepsi, Motorola, Pershing, CDC--already "get" security. What budgeting tips can you give to readers who work at companies that don't get it?
PALMA: It's very simple. You have to understand the business you're in, and you've got to appeal to the people who make business decisions within your organization. You have to show a legitimate business case for the security measures you're looking to implement, and how these measures are long-term investments for the organization.
BONI: I've been in what my some of my friends call the "protection racket" for 25 years in various organizations. The key to security budgeting is this: Figure out what matters for the project or program in question. Is it availability of information? Confidentiality? Integrity? Take the answer to that question and couch your budget request in terms of how it will benefit the organization's specific objectives. If you speak to people about confidentiality as your lead element and the real issue they care about is availability, you're starting a losing conversation. So understand the culture, the priorities and the business.
AXLEROD: We have an enterprise security committee, which consists of information security, technology and the business units. This committee discusses what our priorities should be in terms of the organization as a whole. Some projects, you have to do. For instance, we're in the financial services industry, which is highly regulated. If a regulator says, "This is what you will do," you do it, no matter what the cost or effort. But other projects are more discretionary, so there's a basis for discussion.
BONI: Another technique is benchmarking, because management always has an interest in data. If a competitor of yours is doing "X," and you're not, you can point to the opportunity cost and also raise the liability flag. You can say, "Even if we're OK now, if something does happen and our competitors and peer organizations have been doing things that we haven't, we may be subject to some sort of liability decision by a jury or by regulatory authority."
MADDEN: My tip would be this: Do your homework. Go out there, find examples on the Web where companies didn't put protections in place and suffered demonstrable loss. Then, when you go to your manager or your board, you can say, "Here are our circumstances, here is the information we're trying to protect, and here is a company that has the same kind of information and didn't protect it, and here's what happened." That's a real eye-opener in the absence of specific metrics or benchmarks in your organization.
AXLEROD: The way we deal with benchmarking is to get a third party to come in and conduct an enterprise security assessment. Since they're looking at many organizations, they have a baseline, and we use that as a way of measuring how we are performing against industry practices. You can never be sure what that level should be unless you have an objective measure.
ISM: Does a third-party assessment carry more weight than an in-house assessment?
MADDEN: We have an independent organization perform penetration testing, review our policies and procedures and examine our vulnerabilities inside and out. I have to tell you, it's a mixed blessing. On the one hand, you like to think you're doing a pretty good job yourself, and you hate other people coming in and pointing out where you haven't done a good job. On the other hand, if you look at it objectively, they're only going to show you one of three answers: One, your program is running exactly how you think it is. Two, it's running better than you think it is. Or three, it's running worse than you think it is, and that's when you need to wake up and pay attention.
Security is often characterized in binary terms: 'I need to be absolutely sure I've eliminated X risk.' But security isn't an absolute. It's about defining acceptable levels of risk to your business so you're able to justify spending accordingly.
Bill Boni, CISO, Motorola
BONI: I've been on both sides of the issue. I can tell you that there are some highly professional, highly competent organizations that do this, and if you get the right team and present the results the right way, it can be an excellent exercise. But if you contract with an organization that's less reputable, it can be a problem. Also, some consultants are more interested in proving they're smart than doing a professional job. They might identify follow-on work that's not fully warranted. The point is, you have to go into these exercises with your eyes open so you don't get sandbagged.
ISM: Infosec is really in a no-win situation with funding. The common mantra is that the only way you get the budget you want is to suffer some type of breach first. Can you give our readers tips on how to motivate spending to an adequate level without having to suffer that breach first?
MADDEN: I have three words for you: Wen Ho Lee. Before then, it was very, very difficult to convince anyone that there was a real threat out there. After that, it was open checkbook time.
BONI: A lot of senior management has an unrealistic sense of what's a real threat and what's a real risk. In most cases, executives really don't have a basis for their cavalier dismissal of the business case that's presented by security professionals. The folks who are on the front line are actually the ones who are managing the risk. They have a much better appreciation of that. The challenge is to translate the practitioner's knowledge into a business language that's compelling enough, and credible enough, that the executive acknowledges that the threats and risks are real.
ISM: One artifact of tight economic times is that it increases your leverage with security vendors. You can put more pressure on them in terms of prices and licensing fees. How has product or service contract negotiation changed over the past 18 months?
PALMA: The information security marketplace is struggling, so, yes, there's more leverage. Vendors are looking to make deals so they don't perish. But it's still very important to be a savvy consumer. You still need to do your due diligence. Find out who the top vendors are in a particular area, and get them to come in with proposals. Comparison shop until you get the level of service or the product you need. Because if you don't, if you take a path of least resistance, that's what you're going to get--an inferior product or service.
BONI: One of the single biggest expenses in business is the cost of sales. Typically, if you already have a relationship with a quality vendor, and you're dealing with the renegotiations of a contract, that vendor is going to be willing to negotiate to close the deal. They're willing to give up some increment of their bonus stream or increased revenues to sustain the base. It's a lot cheaper to do that in the long run than to try to replace major accounts that were lost because of inflexibility.
AXLEROD: It's not always the case that you should go with the lowest bidder. In the security marketplace today, the critical factor is whether the vendor will stay in business. There have been several highly publicized cases where providers, particularly managed security service providers, have gone out of business and abandoned their customers. I think the cost of that is much greater than any savings that could have been achieved by squeezing them. If enough people squeeze the vendor, they will go out of business.
ISM: So, what do you do by way of due diligence to ensure that a vendor you're working with will be around in a year?
BONI: We'll talk to other customers and then look at the financials. We have a member of our finance team evaluate them as part of the process. It's not foolproof, but it's a heck of a lot better than just looking across the table at the sales rep and saying, "This is cool stuff. Give me a good price, and we're done."
Whenever you position security as a silo--a specific technology or product solution--it's very difficult to increase overall funding. Regardless of what your business is, you have to make a direct connection between information security and the business needs.
Bryan Palma, CISO, PepsiCo
ISM: Tom, by the time this article prints, you will have made a job change from the Department of Energy to the Centers for Disease Control and Prevention. As the first-ever CISO of the CDC, what are your first priorities in terms of security budget?
MADDEN:The budget discussion actually took place during the interview stage. They made some budget commitments to me, and they're pretty good commitments. They talked about a significant percentage of the IT budget going toward security. The first thing I want to do is assess where the program is and then go from there. And I don't intend to do that fast.
ISM: When you were interviewing for this position, was the organization's financial commitment to security a significant point of discussion?
MADDEN: Yes, we talked a lot about budget. We talked about organizational structure in terms of FTEs, hours that I can apply to the job and what percentage of the IT budget they were willing to commit.
ISM: If you could give security managers only one critical budgeting tip, what would it be?
AXLEROD: Don't use scare tactics. Lots of media stories or hacking statistics can be used to make people nervous, but if you do that to get your budget numbers and nothing happens, you lose your credibility real fast.
PALMA: I would say, understand what your business does and what information is important to your business. Then find allies who are close to that portion of the business, and get them to back your proposal.
MADDEN: Management must be made aware of the risks they're accepting. Once they're comfortable with their risk level, their spending is where it needs to be. If they're accepting more risk than they want to accept, they have to buy down that risk.
BONI: If you don't have business-type training, get it, either through continuing education, your mentor, working with your finance and accounting folks, whatever. This will greatly help when you need to be convincing on budget procurement.
About the author:
Andrew Briney is editor-in-chief of Information Security.
This was first published in March 2003