What is the best way to request an increase in the information security budget within my organization? Our executives see information security primarily as a cost center. I don't want to use scare tactics (breach figures), but capitalizing on FUD seems like the most effective strategy. Is there a better approach?
Ask the Expert!
Got a vexing question for information security management expert Joseph Granneman? Ask your enterprise-specific questions today! (All questions are anonymous.)
Requesting additional funds for information security initiatives can be a daunting task. The technical systems and tools that are required to defend the organization's network are often difficult to explain to executives, who often view security funding as a missed opportunity to invest in revenue-producing activities. Security professionals must learn to understand business as well as information security to bridge this communication gap.
Management often characterizes the information security team as limiting what the business can do with technology. We can all come across as overly paranoid and negative because we live in our own little cybersecurity bubble, separate from core business operations. We can sometimes leverage this paranoia and use fear, uncertainty and doubt (FUD) to convey message to the executive team. However, this tactic has limited usefulness; executives become callused and no longer take future threats seriously. FUD needs to be used sparingly to achieve the security culture that is necessary to survive future cybersecurity threats.
One method I use to integrate an information security budget more closely with business operations is to get involved in process engineering. Companies are always looking for more efficient methods to streamline operations. There are many times that information security can assist in streamlining these processes. I used this technique to justify implementing RFID-based dual-factor authentication, for example. Users can quickly authenticate to multiple systems, which streamlines their processes, and I have dual-factor authentication and inactivity timeouts. Projects like this demonstrate to the executive team that increased security spending can lead to increased efficiencies. The security team gains financial credibility and will likely see further investment in similar projects. Everyone wins.
This was first published in May 2013