Infosecurity was, is and always will be the bottom-feeder of the IT food chain. For some of you, this is a hard pill to swallow. For others, it's stating the obvious. Either way, it's a myth that IT security is flush with cash.
Yes, security budgets are growing in roughly half of the organizations surveyed by Information Security (see "2003: Another Year of Belt-Tightening"). But overall growth is negligible. Many organizations are earmarking a few dollars for one-time projects, but very few are spending broadly on infrastructure security.
To put it bluntly, we don't think like the CFO does, and he's the one controlling the purse strings.
Clearly, the economy plays a big part in this. No company is spending a dime more than it absolutely has to. But the security mind-set is also to blame. To put it bluntly, we don't think like the CFO does, and he's the one controlling the purse strings.
Experts tell us that the best way to get funding for security--especially during tight times--is to demonstrate return on investment. But calculating ROI for security is difficult, particularly when the return is the partial mitigation of risk that might have happened if the investment hadn't been made.
Your CFO doesn't want to hear about partial ROI or the difficulties in proving a negative. For him, all decisions boil down to this: How do we make more, or how do we spend less?
Framing security in these terms is difficult, but not impossible. Here are three simple ways to conceptualize budget requests in a way the CFO will appreciate:
How does it reduce cost? Here the goal is to demonstrate how spending a dime will save you a dollar. Reduced cost, in this sense, isn't only a reduction in annual loss expectancy. It also includes things like reduced staffing, administration and overhead. For example, if you want to outsource your firewall management to a MSSP, demonstrate how it will enable you to rededicate a FTE to a previously unmet need--like helping the development group test custom apps for vulnerabilities.
How does it reduce risk? Your CFO doesn't care about ironclad security. He cares about "good enough" security--good enough to safeguard the company's reputation, protect customer and shareholder interests and avoid corporate liability. All security budget requests are about reducing risk, but you'll be more successful if you can demonstrate a one-to-one relationship between a budget request and risk reduction to one of these key areas.
- How does it simplify things? In the CFO's mind, simplicity equates to cost efficiency. For example, demonstrate how buying a security knowledge management system could cut down on the administrative costs of managing alerts from multiple IDS sensors.
These tips won't get you every dollar you want. But by thinking like the CFO, you're much more likely to get the funding you really need.
About the author:
Andrew Briney is editor-in-chief of Information Security magazine.