What is the best way to request an increase in the information security budget within my organization? Our executives see information security primarily as a cost center. I don't want to use scare tactics (breach figures), but capitalizing on FUD seems like the most effective strategy. Is there a better approach?
Ask the Expert!
Got a vexing question for information security management expert Joseph Granneman? Ask your enterprise-specific questions today! (All questions are anonymous.)
Requesting additional funds for information security initiatives can be a daunting task. The technical systems and tools that are required to defend the organization's network are often difficult to explain to executives, who often view security funding as a missed opportunity to invest in revenue-producing activities. Security professionals must learn to understand business as well as information security to bridge this communication gap.
Management often characterizes the information security team as limiting what the business can do with technology. We can all come across as overly paranoid and negative because we live in our own little cybersecurity bubble, separate from core business operations. We can sometimes leverage this paranoia and use fear, uncertainty and doubt (FUD) to convey message to the executive team. However, this tactic has limited usefulness; executives become callused and no longer take future threats seriously. FUD needs to be used sparingly to achieve the security culture that is necessary to survive future cybersecurity threats.
One method I use to integrate an information security budget more closely with business operations is to get involved in process engineering. Companies are always looking for more efficient methods to streamline operations. There are many times that information security can assist in streamlining these processes. I used this technique to justify implementing RFID-based dual-factor authentication, for example. Users can quickly authenticate to multiple systems, which streamlines their processes, and I have dual-factor authentication and inactivity timeouts. Projects like this demonstrate to the executive team that increased security spending can lead to increased efficiencies. The security team gains financial credibility and will likely see further investment in similar projects. Everyone wins.
Dig deeper on Business Management: Security Support and Executive Communications
Related Q&A from Joseph Granneman, Security Management
Expert Joseph Granneman offers advice to enterprise security teams on using open source intelligence tools to learn about potential threats.continue reading
(ISC)2's HCISPP certification has many potential benefits for health information privacy and security. Expert Joseph Granneman examines them.continue reading
Expert Joseph Granneman explains important business skills information security pros need -- and how to acquire them -- as the discipline matures.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.